I have some reservations (ie I'm not certain if it will delete non-malicious files due to
false positive) on a command line AV tool that I'm required to use to scan our UNIX
boxes so governance has instructed that I run the scheduled on-demand scan with
an option to scan in "readonly" mode.
I've seen a case where a jpg file was reported to be an Eicar test virus file so I intend
to review the scan logs weekly & based on human decision & after checking with the
users, manually quarantine files detected as malware/malicious.
Q1:
What's are the safe ways to manually quarantine a suspected file (without deleting
it so that I can recover back in the event users want it)? Just move the suspected
file to a folder? Or should I do more like gzip the suspected file so that it could not
be easily accessed/read to minimize the risk as much as possible?
Q2:
My view is besides zipping it up (with a password? & does Solaris zip offers a
password option?), we may need to prefix this zip file with the full folder path
where it was originally located to facilitate "unquarantining". Any view on this?
Q3:
What's the risk of doing the above manual quarantining as described above?
Manually doing it means there's a time lag/delay. Perhaps I'll need to amend
/enhance the script that triggers this AV scan to do the quarantining based on
what's reported in the scan log?