Restore quarantined ClamWin files
Anyone who uses the usually reliable ClamWin
virus scanner may have noticed that poor ClamWin threw a bit of a wobbly this week. Our last scan of the office server threw up 657 infected files, some of which belonging to ClamWin itself! Here's a snippet from the log file:
C:\Program Files\ClamWin\bin\clamscan.exe: Heuristic.Trojan.SusPacked.TMS FOUND
C:\Program Files\ClamWin\bin\clamscan.exe: moved to 'C:\Program Files\ClamWin\infected\clamscan.exe.infected'
C:\Program Files\ClamWin\bin\ClamTray.exe: Heuristic.Trojan.SusPacked.TMS FOUND
C:\Program Files\ClamWin\bin\ClamTray.exe: moved to 'C:\Program Files\ClamWin\infected\ClamTray.exe.infected'
Those 657 files were renamed by ClamWin and moved to the quarantine folder. Oh dear.
It turns out this was caused by a mismatch between the virus database produced by the ClamAV team and the scanning software supplied by the ClamWin team (more details here
So, important question - how to rename those files and restore them to where they belong? Well, hopefully you keep a log file of your ClamWin scans, and if you do, the C# code below will parse the log file and copy the files back to whence they came (if you're not a fan of C#, this code can be pretty easily adapted to most other languages).
string fileMovedString = ": moved to '";
string logFile = @"C:\ClamWin.log";
// Parse the log file, renaming quarantined files and restoring
// them to their original location.
using(StreamReader reader = new StreamReader(logFile))
while((line = reader.ReadLine()) != null)
string originalPath = line.Remove(line.IndexOf(fileMovedString));
string quarantinedPath = line.Substring(line.IndexOf(fileMovedString) + fileMovedString.Length);
// Remove the trailing "'" from the quarantined path
quarantinedPath = quarantinedPath.Remove(quarantinedPath.Length - 1);
This worked a treat on our server, but as with any other code you find on the internet, USE AT YOUR OWN RISK!