Restore quarantined ClamWin files


Anyone who uses the usually reliable ClamWin virus scanner may have noticed that poor ClamWin threw a bit of a wobbly this week. Our last scan of the office server threw up 657 infected files, some of which belonging to ClamWin itself! Here's a snippet from the log file:

C:\Program Files\ClamWin\bin\clamscan.exe: Heuristic.Trojan.SusPacked.TMS FOUND
C:\Program Files\ClamWin\bin\clamscan.exe: moved to 'C:\Program Files\ClamWin\infected\clamscan.exe.infected'
C:\Program Files\ClamWin\bin\ClamTray.exe: Heuristic.Trojan.SusPacked.TMS FOUND
C:\Program Files\ClamWin\bin\ClamTray.exe: moved to 'C:\Program Files\ClamWin\infected\ClamTray.exe.infected'

Those 657 files were renamed by ClamWin and moved to the quarantine folder. Oh dear.

It turns out this was caused by a mismatch between the virus database produced by the ClamAV team and the scanning software supplied by the ClamWin team (more details here).

So, important question - how to rename those files and restore them to where they belong? Well, hopefully you keep a log file of your ClamWin scans, and if you do, the C# code below will parse the log file and copy the files back to whence they came (if you're not a fan of C#, this code can be pretty easily adapted to most other languages).

string fileMovedString = ": moved to '";
string logFile = @"C:\ClamWin.log";

// Parse the log file, renaming quarantined files and restoring
// them to their original location.

using(StreamReader reader = new StreamReader(logFile))
string line;

while((line = reader.ReadLine()) != null)
string originalPath = line.Remove(line.IndexOf(fileMovedString));
string quarantinedPath = line.Substring(line.IndexOf(fileMovedString) + fileMovedString.Length);

// Remove the trailing "'" from the quarantined path

quarantinedPath = quarantinedPath.Remove(quarantinedPath.Length - 1);

File.Copy(quarantinedPath, originalPath);

This worked a treat on our server, but as with any other code you find on the internet, USE AT YOUR OWN RISK!