ClamXav quarantined the HD

I just installed ClamXav to scan for viruses and the program quarantined this file: winxp.hdd.0.{5fbaabe3-6958-40ff-92a7-860e329aab41}.hds

It seems to be the content of the HD: winxp.hdd

Is there any way of getting it back in?

Paul

 

Exclude your Parallels VM directory tree from future scans. ClamAV cannot find viruses in your virtual disk but can find false positives. Same with any virus scanner. The context is all wrong. You can scan your Windows VM with a Windows virus scanner just as you would with a real PC. Virtualizing doesn't change a thing in that regard.

As for how to recover the quarantine (which I'd also turn off), contact the ClamXav vendor and ask them what to do. If you know the original file name before it was quarantined then I'd put it back where it came from with the original name. If you don't know that then the ClamXav vendor should know.

 

Dkp, thanks for the info – it looks like this one is irrecoverable. The file seems to have been extracted from the virtual Parallels drive, not a regular folder so I cannot return it. This could be added to warnings for other Parallels users – to make sure the Parallels files are excluded from antivirus checkers!

 

ClamXAV allows the user to exclude specific file names (including wildcards) from scan - but apparently not paths.

So I told ClamXAV not to scan file name WINXP.HDD (the name of my specific VM). Other guest OSes (Linux, Win2000 etc.) will have different *.HDD names

 

That's interesting. I thought and still do that ClamXAV was a gui front end for clamscan, and clamscan allows:

--exclude=REGEX Don't scan file names matching REGEX
--exclude-dir=REGEX Don't scan directories matching REGEX
--include=REGEX Only scan file names matching REGEX
--include-dir=REGEX Only scan directories matching REGEX​

 

I searched for Clamscan in Spotlight and nothing came up...

I used ClamXAV's GUI "preferences/miscellaneous options" feature to employ the fix I described

More on ClamXAV at http://www.clamxav.com/

 

It might be located in /usr/local where Spotlight wouldn't look. For some reason Apple likes to keep the users away from the Unix part of their Mac. In a terminal window you can run "find /usr/local -name clam\*" and see what pops up.

 

It found something

localhost:~ Administrator$ find /usr/local -name clam\*
/usr/local/clamXav
/usr/local/clamXav/bin/clamav-config
/usr/local/clamXav/bin/clamconf
/usr/local/clamXav/bin/clamdscan
/usr/local/clamXav/bin/clamscan
/usr/local/clamXav/etc/clamd.conf
/usr/local/clamXav/include/clamav.h
/usr/local/clamXav/sbin/clamd
/usr/local/clamXav/share/clamav
/usr/local/clamXav/share/man/man1/clamconf.1
/usr/local/clamXav/share/man/man1/clamdscan.1
/usr/local/clamXav/share/man/man1/clamscan.1
/usr/local/clamXav/share/man/man5/clamd.conf.5
/usr/local/clamXav/share/man/man8/clamav-milter.8
/usr/local/clamXav/share/man/man8/clamd.8

 

It looks like you are using Parallels 3.0, and the file that was quarantined still has the original file name. In theory, if it's been moved from the "vmname".hdd folder, putting it back should restore your vm. Is it still in the quarantine folder?

 

"vmname".hdd

Right, the "vmname".hdd in this case is called “winxp.hddâ€. I cannot drop the removed file back into the winxp.hdd folder and have no idea of how to do this in terminal - I regret I have only used this Mac for about 7 months and have not learned Terminal. The file ClamXav.app extracted is called “winxp.hdd.0.{5fbaabe3-6958-40ff-92a7-860e329aab41}.hds†which disabled the Parallels machine. It put the “winxp.hdd.0.{5fbaabe3-6958-40ff-92a7-860e329aab41}.hds†into the quarantine folder and I cannot just drop it back into the “winxp.hdd†folder.

Firstly, what I need, are really simple instructions on how to drop “winxp.hdd.0.{5fbaabe3-6958-40ff-92a7-860e329aab41}.hds†back into “winxp.hddâ€.

Secondly, it may be useful for others to post a note in the Parallels documentation about excluding the files from Mac virus checking.

Thanks for your help!

 

I presume you know where the quarantine directory is, no? If so we can get you put back together with a simple set of instructions. And I guess I should ask the obvious - ClamXav does not have a menu option to restore quarantined files? If not it seems a bit of an oversight, but not fatal.

 

DKP – Yes I have the files and found the file that was extracted and quarantined. The only difficulty is getting the extracted file back into the virtual drive (winxp.hdd). ClamXav does not have a restore function – it assumes one can just drag the file back to where it came from. In this case, it was taken from a virtual HDD and not a folder. Paul

 

ClamAV running in OS X isn't smart enough to reach into a Parallels virtual hard drive and pull out a file. It has no way to know that file even is a virtual disk. That is why it is useless for scanning those files. It can only quarantine the entire vdisk, and even then the likelyhood is it has found a false positive. The exception to that is if you were running Windows Parallels and shared out the Windows file system to your Mac, and ClamXAV, running on the Mac, scanned that file system via the share point.

The Windows version of ClamAV running inside Windows can quarantine a file to a location within the Windows file system (including to shares that would actually place the quarantine area on the Mac's file system). Unless you are using the Windows version of ClamAV (WinClam) I'm pretty sure what you are seeing in the quarantine directory is the entire virtual disk and it needs to be put back into the winxp.hdd folder.

It gets a bit sticky at this point as to what to recommend because time has passed since this thread began and if you've since re-installed Windows in Parallels from scratch then the quarantined file is likely useless now. If you have not, and if the winxp.hdd folder does not now have a file in that has the same name and size as the quarantined file then it is probably safe to migrate that file from quarantine back to its original home.

 

DPK - your key piece of advice worked: "ClamAV running in OS X isn't smart enough to reach into a Parallels virtual hard drive and pull out a file." Based on this, I renamed the file it had extracted to the quarantine folder, back to the original name (after renaming the empty file it left behind in the original folder). This worked. What ClamXev did was to not only move the file, but rename it as well. Thanks for your patience on this. Much appreciated.

 

As we say in Hawai`i, maika`i! (Good!)