sunhux
asked on
manual way of quarantining a malware / infected file
I have some reservations (ie I'm not certain if it will delete non-malicious files due to
false positive) on a command line AV tool that I'm required to use to scan our UNIX
boxes so governance has instructed that I run the scheduled on-demand scan with
an option to scan in "readonly" mode.
I've seen a case where a jpg file was reported to be an Eicar test virus file so I intend
to review the scan logs weekly & based on human decision & after checking with the
users, manually quarantine files detected as malware/malicious.
Q1:
What's are the safe ways to manually quarantine a suspected file (without deleting
it so that I can recover back in the event users want it)? Just move the suspected
file to a folder? Or should I do more like gzip the suspected file so that it could not
be easily accessed/read to minimize the risk as much as possible?
Q2:
My view is besides zipping it up (with a password? & does Solaris zip offers a
password option?), we may need to prefix this zip file with the full folder path
where it was originally located to facilitate "unquarantining". Any view on this?
Q3:
What's the risk of doing the above manual quarantining as described above?
Manually doing it means there's a time lag/delay. Perhaps I'll need to amend
/enhance the script that triggers this AV scan to do the quarantining based on
what's reported in the scan log?
false positive) on a command line AV tool that I'm required to use to scan our UNIX
boxes so governance has instructed that I run the scheduled on-demand scan with
an option to scan in "readonly" mode.
I've seen a case where a jpg file was reported to be an Eicar test virus file so I intend
to review the scan logs weekly & based on human decision & after checking with the
users, manually quarantine files detected as malware/malicious.
Q1:
What's are the safe ways to manually quarantine a suspected file (without deleting
it so that I can recover back in the event users want it)? Just move the suspected
file to a folder? Or should I do more like gzip the suspected file so that it could not
be easily accessed/read to minimize the risk as much as possible?
Q2:
My view is besides zipping it up (with a password? & does Solaris zip offers a
password option?), we may need to prefix this zip file with the full folder path
where it was originally located to facilitate "unquarantining". Any view on this?
Q3:
What's the risk of doing the above manual quarantining as described above?
Manually doing it means there's a time lag/delay. Perhaps I'll need to amend
/enhance the script that triggers this AV scan to do the quarantining based on
what's reported in the scan log?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.