About the quarantine recovery tool

 

The main purpose of the advanced quarantine recovery tool (unquar.exe) is to recover from a situation where an important file or files have been placed into quarantine due to a false positive detection.

The tool also provides means for deleting a given quarantine repository. This is intended for cleaning up the quarantine repository after a product has been removed with the uninstallation tool.

 

Recovering files from quarantine after a false positive incident

 

If the F-Secure product is still installed and real-time scanning is turned on, make sure you have the latest definition updates downloaded and installed before you begin. Unquar.exe can be downloaded from ftp://ftp.f-secure.com/support/tools/unquar/unquar.exe.

 

  1. Copy unquar.exe, for example to c:\temp\.
  2. Open Command Prompt in one of the following ways:
    1. In Windows XP, click the Start menu, select Run, type cmd in the Open field in the Run window and finally click OK .
    2. In Windows Vista/7, click the Start menu, type cmd and press Enter.
  3. In Command Prompt, change to the desired folder. For example, to change to folder c:\temp\ , type cd c:\temp\ and press Enter.
  4. To list the quarantined items from the quarantine repository, use
    a) Detection name: unquar.exe -m recovery -i Trojan:W32/F-Secure_testfile.A
    This option lists all the items in the quarantine with the given malware family name (in this example Trojan:W32/F-Secure_testfile.A)
    b) Quarantine date: unquar.exe -m recovery -d 2011.04.15-2011.04.16
    This option lists all the items in the quarantine with the given quarantine date (in this example from 15th of April through 16th of April, 2011). The range is specified in the following format: YYYY.MM.DD-YYYY.MM.DD.
  5. To restore the items from the quarantine, use

    Note: Make sure you are restoring the correct files from the quarantine. There is a chance that the quarantine contains malware and you might risk real infection by releasing these items. If you are not sure, contact support to get the malware family name or the date information.

    a) Detection name: unquar.exe -m recovery -i Trojan:W32/F-Secure_testfile.A --doit
    This option releases all the items in the quarantine with the given malware family name (in this example Trojan:W32/F-Secure_testfile.A).
    b) Quarantine date: unquar.exe -m recovery -d 2011.04.15-2011.04.16 --doit
    This option releases all the items in the quarantine with the given quarantine date (in this example from 15th of April through 16th of April, 2011). The range is specified in the following format: YYYY.MM.DD-YYYY.MM.DD.
  6. The tool moves the files to their original location and restores all relevant registry settings.
    Note: If you are not sure how to use the script, contact support for further details!

Delete mode

 

The tool also provides means for deleting a given repository. This might not be possible otherwise since the repository contains folders protected by a strict ACL. The tool drops the ACL and recursively deletes the contents.

 

To delete a repository:

  1. Copy unquar.exe, for example to c:\temp\.
  2. Open Command Prompt in one of the following ways:
    1. In Windows XP, click the Start menu, select Run, type cmd in the Open field in the Run window and finally click OK .
    2. In Windows Vista/7, click the Start menu, type cmd and press Enter.
  3. In Command Prompt, change to the desired folder. For example, to change to folder c:\temp\ , type cd c:\temp\ and press Enter.
  4. Run unquar.exe -del

 

More information

 

Running the unquar.exe tool from command prompt without additional command line parameters will print out the extra parameters for using the tool.

(2,892 Views)

Recovering quarantined items from the quarantine folder manually

Contributors