Restore All quarantined files?

Asked by timo on 2014-03-17

Hi there,

I'm in kind of trouble... I scanned a friend's WinVista Partition from a Linux Live System - and clamtk found 1175(!) threats. So I decided to move them all into quarantine and see what happens. Well, Vista isn't too happy, and a lot of stuff stopped working, so now I have to restore all the quarantined files, which, of course, is possible, but only ONE at a time, after which you have to hit the OK button, go back to the list, and start all over again... I'll die of old age before I can finish the task!

Is there no way to restore them ALL at once? Or maybe a little helper script to do that... my skills are far to low, to write such a script, but maybe someone smarter had the probem before me?

Any help is appreciated, I'm really outof my depth here...

BTW: Does that normally happen on Vista, I mean 1175 thrats found is a awfull lot, isn't it? Or did something else go wrong?

Question information

Language:
English Edit question
Status:
Answered
For:
ClamTk Edit question
Assignee:
No assignee Edit question
Last query:
2014-03-17
Last reply:
2015-09-19
Dave M (dave-nerd) said : #1

Hi,

Sorry to hear about the problems. No, I have not implemented a "restore
all" button... sorry. Probably should. I'll look at it, but it probably
won't be in time to help you.

I know it's too late, but I have to point out that this is a program made
for Linux. If you're going to scan Windows with it, at least disable the
"PUA" in the Settings. That's probably what most of the files came up as,
right?

Again, I shouldn't lecture, and I'm sorry that this happened. I'll look at
a restore all button so this won't be as big of an issue.

btw, I'm not a Windows guy, but does Vista have a restore functionality?
Or did that start with Win 7? I'm under the impression you can restore
back to an earlier version.

respectfully
dave

On Mon, Mar 17, 2014 at 6:26 AM, timo
<email address hidden>wrote:

> New question #245615 on ClamTk:
> https://answers.launchpad.net/clamtk/+question/245615
>
> Hi there,
>
> I'm in kind of trouble... I scanned a friend's WinVista Partition from a
> Linux Live System - and clamtk found 1175(!) threats. So I decided to move
> them all into quarantine and see what happens. Well, Vista isn't too happy,
> and a lot of stuff stopped working, so now I have to restore all the
> quarantined files, which, of course, is possible, but only ONE at a time,
> after which you have to hit the OK button, go back to the list, and start
> all over again... I'll die of old age before I can finish the task!
>
> Is there no way to restore them ALL at once? Or maybe a little helper
> script to do that... my skills are far to low, to write such a script, but
> maybe someone smarter had the probem before me?
>
> Any help is appreciated, I'm really outof my depth here...
>
>
> BTW: Does that normally happen on Vista, I mean 1175 thrats found is a
> awfull lot, isn't it? Or did something else go wrong?
>
> --
> You received this question notification because you are an answer
> contact for ClamTk.
>

timo (playsansara) said : #2

Okay, thanks a lot! I'm no Windows guy either, but it seems there is a system restore function in Vista; I'm trying that right now, but i'm not putting too much hope into it... too much has been damaged, I'm afraid.

You're right about the PUA thing - so disabling this setting would give more 'healthy results'? Or is scanning Windows with clamtk generally a bad idea?

Sincerely,
Timo

Dave M (dave-nerd) said : #3

Timo,

Honestly, I recommend not using it with Windows. I don't have the
resources to ensure it is safe. Enabling PUA scanning is not necessarily
bad, but do some research on the files prior to removing them.

Ensure you save off any relevant files prior to restoring... you never know.

Good luck, and sorry I couldn't be of more assistance.

respectfully
dave

On Mon, Mar 17, 2014 at 6:56 AM, timo
<email address hidden>wrote:

> Question #245615 on ClamTk changed:
> https://answers.launchpad.net/clamtk/+question/245615
>
> timo posted a new comment:
> Okay, thanks a lot! I'm no Windows guy either, but it seems there is a
> system restore function in Vista; I'm trying that right now, but i'm not
> putting too much hope into it... too much has been damaged, I'm afraid.
>
> You're right about the PUA thing - so disabling this setting would give
> more 'healthy results'? Or is scanning Windows with clamtk generally a
> bad idea?
>
> Sincerely,
> Timo
>
> --
> You received this question notification because you are an answer
> contact for ClamTk.
>

Rik Shaw (rik-shaw) said : #4

I am in the same boat of not being careful enough and quarantining a pile of windows files that I need to restore. So restoring multiple files at once from the quarantine would be great. Being able to sort the quarantine by extension would also be helpful, so easier to sort what you want to restore.

Bryan Putnam (bryan-w-putnam) said : #5

OK, I had the same problem noted above. After searching for hours to see if there was a way to achieve moving all quarantined files back to their original location. I was unable to achieve what I was trying to accomplish. With that said and being a programmer. I went ahead and created a simple bash script that will achieve what needs to be done.

Here's the HOWTO:

Create a bash script, for this HOWTO I will create a file named: clamtk-restore-all-files.sh
command: sudo nano clamtk-restore-all-files.sh

Copy and paste the following code into that file:

#!/bin/bash
# start script
CLAMTK_DIR="/home/ubuntu/.clamtk"
CLAMTK_VIR_DIR=$CLAMTK_DIR"/viruses"
DATE=$(date '+%Y %b %d %H:%M')
(
printf "Initiated move on: $DATE\n-------------------------------------\n\n"
while IFS=':' read ID FILE PERM; do
     SAVE_DIR=$(dirname "$FILE")
 FILE_NAME=$(basename "$FILE")
 yes | sudo /bin/cp -rf $CLAMTK_VIR_DIR"/$FILE_NAME" "$FILE"
 sudo chmod "$PERM" "$FILE"
 printf "ID: $ID\nSave Directory: $SAVE_DIR\nFile Name: $FILE_NAME\nPermissions: $PERM\n\n"
done < "$1"
) >> $CLAMTK_DIR"/my_restore.log"
# end script

There is really only one variable that you need to set which is "CLAMTK_DIR" which should be set to the users home directory that you ran the initial scan from. Mine was the user ubuntu since I used a persistent Ubuntu LiveCD on a thumb drive.

So let's say you ran the scan from user Bryan the variable should look like this CLAMTK_DIR="/home/bryan/.clamtk" usually clamtk directory is a hidden one double check that it is there by typing the following command:

command: cd ~/.clamtk

If it is not there you will need to track down this folder. This folder contains the "restore" file and the files that it quarantined which is in "~/.clamtk/viruses"

Notes: All this script does is loop through the restore file which contains items like this:

96f3c16777e395cf5c0e633792ea5597:/media/ubuntu/C878B0F178B0DF7E/Windows/System32/ntoskrnl.exe:600

Now, I am not sure what all this means but I can take a guess. See the colons ":" that is a separator for the restore procedure. Dave may be able to elaborate more about this though. Here is how I understood these entries:

96f3c16777e395cf5c0e633792ea5597 = File ID that clamtk uses for the restore procedure.
/media/ubuntu/C878B0F178B0DF7E/Windows/System32/ntoskrnl.exe = Files original location before being quarantined.
600 = Original file permissions (not sure about this, but seams logical).

The script goes line by line and copies each file back to its original location. Once it has done that it set the permissions for the file (not sure if this was needed since linux and windows permissions are total different). That's it!

Now make the script executable by typing the following command:

command: sudo chmod +x clamtk-restore-all-files.sh

After that I ran the script with the following command:

command: sudo ./clamtk-restore-all-files.sh ~/.clamtk/restore

Everything was back to working... well mostly the virus still remained but now the system boots again!

Note: make sure not to forget to enter the restore file location for the script. You'll notice in the example above "~/.clamtk/restore" that really means "/home/{logged_in_user}/.clamtk"

Also you'll notice the program copies the files it does not move them. You could probably use mv instead of cp but I'd rather use cp just so the original file structure for clamtk is preserved. If everything works after rebooting you can delete those files using clamtk's interface and then move on to fixing the virus again :D!

One more thing the script will create a my_restore.log file which just logs the save directory, file name, and permissions that was set, for each file. The file is located in ~/.clamtk/my_restore.log

That's it, hope this helps someone!

-Bryan

Can you help with this problem?

Provide an answer of your own, or ask timo for more information if necessary.

To post a message you must log in.