How can I recover quarantined items from quarantine manually?

If you need to recover an item, such as a false positive, from the quarantine, use the fsdumpqrt tool for this. It helps you to get sample files from the quarantine.

The tool reads all the files in the AV quarantine, unpacks them from the quarantine and dumps them into an encrypted ZIP file named "malware_samples.zip". The default password for the encrypted zip file is "infected", and you can change it if you want to.

To recover quarantined items with fsdumpqrt:

  1. Click the following link (https://download.f-secure.com/support/tools/fsdumpqrt/fsdumpqrt.exe) and save the fsdumpqrt.exe file, for example to c:\temp.
  2. Open the Command Prompt window.
  3. At the command prompt, change the directory to the one that you selected in step 1. For example to change to folder c:\temp\, type
    cd c:\temp\
    and press Enter.
  4. To run the tool, type
    fsdumpqrt.exe -d c:\temp\
    .
  5. Enter your administrator credentials when prompted.

    https:

    F-Secure license terms are shown.
  6. Read the license terms.

    Note: You have to scroll all the way to the end of the license terms before you can accept them.

  7. To accept the license terms, press e on your keyboard.
  8. To complete the run, press any key.

You can now find the "malware_samples.zip" file with the default password (infected) in the destination folder that you specified in step 4.

The tool can have the following parameters:
  • -d, --destination: Destination directory for output (default: current admin desktop)
  • -p, --password: Password for output (default: "infected")
  • -v, --verbose: Verbose output
  • -a, --accept-eula: Accept EULA
  • -s, --silent: Silent mode
  • -l, --list: Only list contents, nothing is written to disk

Tip: Running the fsdumpqrt.exe tool at command prompt without additional command line parameters will print out a short tool description and the extra parameters for using the tool.