We help IT Professionals succeed at work.
Get Started
manual way of quarantining a malware / infected file
I have some reservations (ie I'm not certain if it will delete non-malicious files due to
false positive) on a command line AV tool that I'm required to use to scan our UNIX
boxes so governance has instructed that I run the scheduled on-demand scan with
an option to scan in "readonly" mode.
I've seen a case where a jpg file was reported to be an Eicar test virus file so I intend
to review the scan logs weekly & based on human decision & after checking with the
users, manually quarantine files detected as malware/malicious.
Q1:
What's are the safe ways to manually quarantine a suspected file (without deleting
it so that I can recover back in the event users want it)? Just move the suspected
file to a folder? Or should I do more like gzip the suspected file so that it could not
be easily accessed/read to minimize the risk as much as possible?
Q2:
My view is besides zipping it up (with a password? & does Solaris zip offers a
password option?), we may need to prefix this zip file with the full folder path
where it was originally located to facilitate "unquarantining". Any view on this?
Q3:
What's the risk of doing the above manual quarantining as described above?
Manually doing it means there's a time lag/delay. Perhaps I'll need to amend
/enhance the script that triggers this AV scan to do the quarantining based on
what's reported in the scan log?
false positive) on a command line AV tool that I'm required to use to scan our UNIX
boxes so governance has instructed that I run the scheduled on-demand scan with
an option to scan in "readonly" mode.
I've seen a case where a jpg file was reported to be an Eicar test virus file so I intend
to review the scan logs weekly & based on human decision & after checking with the
users, manually quarantine files detected as malware/malicious.
Q1:
What's are the safe ways to manually quarantine a suspected file (without deleting
it so that I can recover back in the event users want it)? Just move the suspected
file to a folder? Or should I do more like gzip the suspected file so that it could not
be easily accessed/read to minimize the risk as much as possible?
Q2:
My view is besides zipping it up (with a password? & does Solaris zip offers a
password option?), we may need to prefix this zip file with the full folder path
where it was originally located to facilitate "unquarantining". Any view on this?
Q3:
What's the risk of doing the above manual quarantining as described above?
Manually doing it means there's a time lag/delay. Perhaps I'll need to amend
/enhance the script that triggers this AV scan to do the quarantining based on
what's reported in the scan log?
Why Experts Exchange?
Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.
Jim Murphy
Programmer at Smart IT Solutions
When asked, what has been your best career decision?
Deciding to stick with EE.
Mohamed Asif
Technical Department Head
Being involved with EE helped me to grow personally and professionally.
Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question
Connect with Certified Experts to gain insight and support on specific technology challenges including:
- Troubleshooting
- Research
- Professional Opinions
Did You Know?
We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE