Register
It is currently Wed Oct 01, 2014 10:23 pm

Recovering quarantined files from a ClamAV false positive


All times are UTC - 6 hours


Post new topic Reply to topic  [ 3 posts ] 
Author Message
 PostPosted: Tue Jan 12, 2010 9:11 am   

Joined: Tue Jan 12, 2010 9:03 am
Posts: 2
Hi Guys

Last Friday ClamAV decided to tag a shed load of files as infected with
Code:
Exploit.PDF-9669 FOUND

and promptly moved the tagged files to quarantine. Now this would have been fine if it was a real virus, but some googleing came up with a dodgy ClamAV update.

So I've now got some 1000+files moved from their homes in a vast multi share super deep folder structure sitting in quarantine and they are perfectly fine.

I need to write a script to take in the log file and return the moved files to their rightful location.

Here is a snippet of the log

Code:
Scan started: Sat Jan  9 00:50:02 2010
/home/e-smith/files/ibays/executive/files/Uniform Sizes.xlsx: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/Uniform Sizes.xlsx: moved to '/var/spool/clamav/quarantine//Uniform Sizes.xlsx'
/home/e-smith/files/ibays/executive/files/Mobile Phone No..xlsx: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/Mobile Phone No..xlsx: moved to '/var/spool/clamav/quarantine//Mobile Phone No..xlsx'
/home/e-smith/files/ibays/executive/files/STAFF FILE/Redundancy Information/Grading -MASTER June 2009 - 1.xlsx: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/Redundancy Information/Grading -MASTER June 2009 - 1.xlsx: moved to '/var/spool/clamav/quarantine//Grading -MASTER June 2009 - 1.xlsx'
/home/e-smith/files/ibays/executive/files/STAFF FILE/Redundancy Information/Grading -MASTER June 2009.xlsx: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/Redundancy Information/Grading -MASTER June 2009.xlsx: moved to '/var/spool/clamav/quarantine//Grading -MASTER June 2009.xlsx'
/home/e-smith/files/ibays/executive/files/STAFF FILE/Current Employees/Andrew Lia/FW Student behaviour JTL1C.htm: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/Current Employees/Andrew Lia/FW Student behaviour JTL1C.htm: moved to '/var/spool/clamav/quarantine//FW Student behaviour JTL1C.htm'
/home/e-smith/files/ibays/executive/files/STAFF FILE/Sub-contractors/SubContractors.xlsx: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/Sub-contractors/SubContractors.xlsx: moved to '/var/spool/clamav/quarantine//SubContractors.xlsx'
/home/e-smith/files/ibays/executive/files/STAFF FILE/Leavers/Craig Rudge 07.08.09/Grading.xlsx: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/Leavers/Craig Rudge 07.08.09/Grading.xlsx: moved to '/var/spool/clamav/quarantine//Grading.xlsx'
/home/e-smith/files/ibays/executive/files/STAFF FILE/Leavers/Craig Rudge 07.08.09/Hours Overbooked.xlsx: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/Leavers/Craig Rudge 07.08.09/Hours Overbooked.xlsx: moved to '/var/spool/clamav/quarantine//Hours Overbooked.xlsx'
/home/e-smith/files/ibays/executive/files/STAFF FILE/Annual Bonus Figures/Staff List.xlsx: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/Annual Bonus Figures/Staff List.xlsx: moved to '/var/spool/clamav/quarantine//Staff List.xlsx'
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/ [SPAM_]_  electrician mate.eml: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/ [SPAM_]_  electrician mate.eml: moved to '/var/spool/clamav/quarantine// [SPAM_]_  electrician mate.eml'
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/Vacancy query (1).eml: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/Vacancy query (1).eml: moved to '/var/spool/clamav/quarantine//Vacancy query (1).eml'
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/RE_ CAT5_Telecoms.eml: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/RE_ CAT5_Telecoms.eml: moved to '/var/spool/clamav/quarantine//RE_ CAT5_Telecoms.eml'
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/Application form.eml: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/Application form.eml: moved to '/var/spool/clamav/quarantine//Application form.eml'
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/Electricians mate vacancy.eml: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/Electricians mate vacancy.eml: moved to '/var/spool/clamav/quarantine//Electricians mate vacancy.eml'
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/FW_ .eml: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/FW_ .eml: moved to '/var/spool/clamav/quarantine//FW_ .eml'
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/For attention of Susanne Morris; Electrician CFB_101379 .eml: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/For attention of Susanne Morris; Electrician CFB_101379 .eml: moved to '/var/spool/clamav/quarantine//For attention of Susanne Morris; Electrician CFB_101379 .eml'
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/Hi, I'm Looking for work..eml: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/Hi, I'm Looking for work..eml: moved to '/var/spool/clamav/quarantine//Hi, I'm Looking for work..eml'
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/ [SPAM_]_  apprentiships.eml: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/ [SPAM_]_  apprentiships.eml: moved to '/var/spool/clamav/quarantine// [SPAM_]_  apprentiships.eml'
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/Stuart Harris cv.eml: Exploit.PDF-9669 FOUND
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/Stuart Harris cv.eml: moved to '/var/spool/clamav/quarantine//Stuart Harris cv.eml'
/home/e-smith/files/ibays/executive/files/STAFF FILE/CV's and Applications/cv.eml: Exploit.PDF-9669 FOUND


I've managed to grep the logfile for the lines I want, which I have saved into a mylog.txt file. So I just need a script to run through this and sort out the cp commands?

I hope someone can help me out.


Top
 Profile  
 PostPosted: Mon Jan 18, 2010 3:53 am   

Joined: Tue Jan 12, 2010 9:03 am
Posts: 2
Code:
#!/usr/bin/perl
use strict;
use warnings;

open (FILE, './mylog1.log');

while (<FILE>)
{
   if (/(.*)(: moved to )(.*)/)
    {
      my $t3 = $3;
      my $t1 = $1;
      $t3 =~ s/^'//;
      $t3 =~ s/'$//;
      my $stringa = $t3."\t".$t1;
      $stringa =~ s/ /\\ /g;
      $stringa =~ s/'/\\'/g;
      $stringa =~ s/\(/\\\(/g;
      $stringa =~ s/\)/\\\)/g;
      print 'cp -p '.$stringa."\n";
      #system($stringa);
        system 'cp -p  '.$stringa."\n";
}
}
close (FILE);


Just in case people were interested it was soleved with a perl script. First of all the logs were grepped for ': moved to' and that text file loded by the script


Top
 Profile  
 PostPosted: Fri Jan 22, 2010 10:40 pm   
Site Admin
User avatar

Joined: Sun May 15, 2005 9:36 pm
Posts: 667
Location: Des Moines, Iowa
Thanks for posting your fix (even if it was perl ;) ) ...this could have been done just as easily in bash, sorry I didn't see the post earlier.


Top
 Profile WWW  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC - 6 hours


Who is online

Users browsing this forum: No registered users and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron


BashScripts | Promote Your Page Too
Powered by phpBB © 2011 phpBB Group
© 2003 - 2011 USA LINUX USERS GROUP