Jump to content

can't restore a quarantined folder


Recommended Posts

I am trying to restore a quarantined folder on my MAC that was in /Users/<user>/.keys 

using the options

Detection History -> Quarantined items -> Restore -> Restore (dialog)

but after this, the item remains as a quarantined item, I tried it several times.

The contents of this folder are text files with passwords and access credentials from different systems that I manage,

I need to recover this ASAP, how can I do that?

Thank you.

Juan.

 

Link to post
Share on other sites

  • Staff
18 hours ago, juancarlos said:

Detection History -> Quarantined items -> Restore -> Restore (dialog)

That should result in 1) the item being restored to its original location, 2) being removed from the quarantine list, and 3) a system notification being shown that the item was restored. If you're not seeing that, I'd definitely try restarting your Mac, as Porthos suggested, and then try again.

Note, though, that at the current time there's nothing that will prevent that from being detected again on the next scan.

As an aside, I'd suggest that plain text files inside a hidden folder isn't a good method for storing credentials, as that hidden ".keys" folder would be quite conspicuous to anyone who gained access and was looking for credentials. You ought to put them in a password manager or some other encrypted file (such as an encrypted disk image created with Disk Utility).

  • Like 1
  • Thanks 1
Link to post
Share on other sites

1 hour ago, treed said:

That should result in 1) the item being restored to its original location, 2) being removed from the quarantine list, and 3) a system notification being shown that the item was restored. If you're not seeing that, I'd definitely try restarting your Mac, as Porthos suggested, and then try again.

Note, though, that at the current time there's nothing that will prevent that from being detected again on the next scan.

As an aside, I'd suggest that plain text files inside a hidden folder isn't a good method for storing credentials, as that hidden ".keys" folder would be quite conspicuous to anyone who gained access and was looking for credentials. You ought to put them in a password manager or some other encrypted file (such as an encrypted disk image created with Disk Utility).

I already tried restarting (twice), it is the solution proposed in the forums, but it does not work.

I know that that folder name is inappropriate for this software, as soon as I can recover it, I will change its name.

Just mention that they were "text files", so they are not supposed to be files that could be suspicious, the files are not stored in plain text, they are 
encrypted with GPG.

Please look this .mp4 with the result of the attempt to remove this folder from quarantine.

Is there any possibility to manually recover this folder from quarantine?

 

Link to post
Share on other sites

  • Staff

Unfortunately, restoring manually isn't possible, as the quarantine is encrypted. (This is to prevent other antivirus software that may be on the system from detecting things in our quarantine, among other things.)

What your video shows is definitely not normal, and I think our devs are going to need to see the logs and quarantine database (which does not include the actual quarantined items). Can you follow the instructions at the following link to download our support tool and run it?

https://support.malwarebytes.com/hc/en-us/articles/360038519834-Upload-logs-to-your-ticket-using-the-Malwarebytes-Support-Tool-for-Mac

Once you've done that, send me a direct message and attach the MWB_Info.zip file produced by the support tool. (Don't attach it publicly here.)

Edited by AdvancedSetup
corrected font issue
Link to post
Share on other sites

18 hours ago, juancarlos said:

Just mention that they were "text files", so they are not supposed to be files that could be suspicious, the files are not stored in plain text, they are 
encrypted with GPG.

Just a note that it is the hidden .keys directory that makes it's contents suspicious, not anything about the files themselves.

Link to post
Share on other sites

  • Staff

Can you try the following?

  1. In the Finder, choose Go to Folder from the Go menu, and paste the following path into the window that appears:
    /Library/Application Support/Malwarebytes/MBAM/LogsEx/
  2. Click the "Go" button
  3. In the window that opens, you should see files named RTProtectionDaemon.log and SettingsDaemon.log. Delete those two files, and only those two.
  4. Restart your computer
  5. Open the Malwarebytes app and try restoring again
  6. If it fails, please go back to that LogsEx folder and send me the new RTProtectionDaemon.log and SettingsDaemon.log files
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.