With our new release 1.9.8 ISPProtect malware scanner now supports quarantining found malware.
You can either enable quarantining on a scan, so malware files get moved as soon as the scan completes, or you can quarantine hits on an already completed scan. Of course you can restore files from quarantine, too.
Quarantine during scan
To enable quarantining, just add the --quarantine argument to your call, e. g.:
ispp_scan --path=/var/www --quarantine
All quarantined files will be moved into a directory "quarantine" inside your ISPProtect path.
%>ls -l /usr/local/ispprotect/quarantine/ total 4 drwxr-s--- 3 root root 4096 May 31 15:14 20160531130303
The malware files are stored with full path in the quarantine directory so you can restore them easily by hand. If you want to restore all quarantined files from a scan, just use the --restore function (see below).
Quarantine a completed scan
If you want to move files to quarantine, but you forgot to add the parameter to your scan, you can do it later, as long as you did not delete your found_malware_xxxxxx.txt file from the ISPProtect path.
Just call
ispp_scan --quarantine=XXX
where XXX is your scan id, e. g. 20160531130303 in the example above. The scan id is part of the malware list file name (e. g. found_malware_20160601200101.txt means the scan id is 20160601200101).
Quarantining all hits
By default the quarantine feature only moves those files we think there is a low possibility of false positives. If you want ISPProtect to move all files, add the --all parameter.
ispp_scan --path=/var/www --quarantine --all
or
ispp_scan --quarantine=20160531130303 --all
Please keep in mind that there might be a higher risk of false positives, so non-infected files might be moved, too.
Restoring files
You can restore quarantined files at any time, if you did not delete the corresponding directory.
Just call ISPProtect with --quarantine=XXX --restore. This will read all files from the quarantine of scan XXX and restore the files. If any of the files exist in the path you moved them from, you will be asked whether to overwrite or not. You can force overwriting all files by adding --force-yes as an argument.
ispp_scan --quarantine=20160531130303 --restore
Marius Burkard has been working as a software developer for 20 years and has several years of experience as a server administrator. As one of the lead developers of the ISPConfig control panel and technical contact for several hundred web hosting customers, he has extensive experience with malware, hacked websites and the analysis of vulnerabilities.