Quarantine And Restore

I did a test:


- I set Bitdefender Shield to Actions: move file to quarantine


- I pasted the Eicar test string in Notepad and tried to save it to a folder


- the file with the test virus was quarantined. Good.


- I went to restore option, the file was restored for a microsecond then deleted again by antivirus


Is this the correct behaviour?

Comments

  • rootkit
    rootkit ✭✭✭

    Hello :)


    The file was restored in the same location? Also, the second time was sent to quarantine or deleted?


    Thank you!

  • Hello :)


    The file was restored in the same location? Also, the second time was sent to quarantine or deleted?


    Thank you!


    I did another test.


    - Got a zip file with an infected one inside


    - extracted zip inside a folder


    - virus file detected and quarantined


    - told BD to restore it


    - virus file restored in same folder for a microsecond (I could see it), and immediately deleted and quarantined again


    What if I want to keep my virus alive? :rolleyes:

  • OK, found what happens:


    - the above behaviour happens when I extract from zip files. Probably because BD goes through a tmp???


    - I disabled AV, extracted zip to folder. Virus is there


    - Turned ON AV, virus detected and quarantined. Good!


    - Told to restore and virus restored alive and kicking in original folder


    So, now I understand it and I am happy....


    Thanks. Consider it closed.

  • columbo
    columbo
    edited August 2012

    AstroMax, nice investigative work :) yet it seemed to me that you had to go through allot of hoops, clicking and ticking just to get a folder to restore to its original location. What happens when we (I) have a false positive quarantined (how I have On-scanning action set; quarantine), is that going to be the normal course of procedures to restore the file back (then adding it to exclusions)? yikes :blink:

  • AstroMax, nice investigative work :) yet it seemed to me that you had to go through allot of hoops, clicking and ticking just to get a folder to restore to its original location. What happens when we (I) have a false positive quarantined (how I have On-scanning action set; quarantine), is that going to be the normal course of procedures to restore the file back (then adding it to exclusions)? yikes :blink:


    As far as I understand, the Restore procedure (after quarantine) does work, BUT not if you extract from a compressed file (as I wrote, probably BD tries to restore it through tmp, then deletes it again).

  • Thanks for your follow up thoughts, as I haven't worked to much with restoring a quarantined file, let alone a compressed /zip file as in your investigative work :)

  • I did another test.


    - Got a zip file with an infected one inside


    - extracted zip inside a folder


    - virus file detected and quarantined


    - told BD to restore it


    - virus file restored in same folder for a microsecond (I could see it), and immediately deleted and quarantined again


    What if I want to keep my virus alive? :rolleyes:


    So you want to say that the first time BD detect the virus and quarantine it as you selected in RTP, and second time when you try to restore the same file from Quarantine, BD again detect it and then delete it rather than to re-quarantine?


    And what do you mean by “delete and quarantine again”? Only one action can be done by Bitdefender either quarantine or delete. I think the infected file should be quarantine upon both detections scenarios.


    Did you check the detail in the Events for both detections?

  • So you want to say that the first time BD detect the virus and quarantine it as you selected in RTP, and second time when you try to restore the same file from Quarantine, BD again detect it and then delete it rather than to re-quarantine?


    And what do you mean by “delete and quarantine again”? Only one action can be done by Bitdefender either quarantine or delete. I think the infected file should be quarantine upon both detections scenarios.


    Did you check the detail in the Events for both detections?


    Well, try yourself!


    I mean:


    1) yes, exactly so.


    2) I mean: deleted from folder where it should be restored and quarantined again


    3) yes, I did check.


    My point is that if it is a false detection of a file in a compressed archive and I want to extract it and keep it, it seems that BD does not allow me to!

  • Hello Max :)


    Can you confirm if this is reproducing with the latest product update?


    http://forum.bitdefender.com/index.php?sho...mp;#entry157184


    http://forum.bitdefender.com/index.php?showtopic=35499


    Thank you!

  • Not solved yet.

  • Hello :)


    For now, we changed the description for the Event generated and there the user is instructed to create an exclusion manually.


    I will keep you up to date when new changes will be made in the product.


    Take care.