CIS Quarantine Problem!

DeathStalker77 · September 28, 2014, 8:38pm

The Quarantine folder on my drive has literally blown up. I have not set CIS to quarantine anything, but suddenly today I have over a HUNDRED GIGS of space used up by it, but the VIEW QUARANTINE shows nothing in it! I know I have nothing on my drives that I am concerned about at this time. How can I view what is in Quarantine and restore it?

CIS v7.0.317799.4142
DB v19585

Citizen_K · September 28, 2014, 11:04pm

Normally you can’t access the Quarantine folder with Explorer. You will be blocked from accessing it because of user right limitation that is set on the folder. You will have to do a take ownership procedure to be able to access it.

DeathStalker77 · September 28, 2014, 11:48pm

Ok, I can do that - what do I do after that to recover the files?

Citizen_K · September 29, 2014, 2:43am

Once you took ownership you can do what you normally can do when accessing a folder with Explorer. I am assuming that you want to delete what is in the blown up quarantine folder.

DeathStalker77 · September 29, 2014, 8:38pm

NO! I want to know what is in it first! It may have done a lot of false quarantines

captainsticks · September 29, 2014, 8:44pm

Hi DeathStalker77,
Viewing CIS logs may shed some light on what has occurred.
View CIS Logs-Comodo Help

Kind regards.

DeathStalker77 · September 29, 2014, 10:12pm

I did an export of the AV log - it had a boatload of false positives in it - everything is stored in the TEMP folder (not the DATA) folder under Quarantine, does that make any difference?

====

Problem is, while I can move the files, there is no way to relate what the “{xxx}” file names are to the ACTUAL name of what was incorrectly quarantined.

==========

Now, had a power failure this morning, and Comodo Service won’t start, and repair is not an option, so I have to reinstall.

===========

This is going to be a GREAT problem if I lose all this data … >(

Citizen_K · September 29, 2014, 11:28pm

If I recall correctly the Temp folder in the Quarantine folder holds files used for updating the AV. Do the names of the files look like variations of b0019657.cav?

Can you post a screenshot of the Temp folder?

DeathStalker77 · September 30, 2014, 12:21am

No, all of the files (almost 2MILLION files!) look like Class files {8D54-xxxxx-xxxxx-xxxxxxxxx}, etc (not those exact segment lengths, but you get the idea).

Since, even after repeated reboots, Comodo Service won’t start, and it can’t be repaired, if I do a CHANGE and allow it to re-install, will it preserve the current settings and the Quarantine folder?

Citizen_K · September 30, 2014, 2:21am

When uninstalling I think it will delete the quarantine folder.

I seriously doubt that even a boatload of false positives would use up Gigabytes worth of data. But to make a more educated guess it’s better to look at the AV logs to see what is being flagged as quarantined. Could you attach the logs?

Assuming various files have been accidentally quarantined as false positives we can safely assume they were not Windows system files as you would expect Windows to complain or act strangely. That means that possible quarantine actions are on applications which are usually easy enough to reinstall or do a repair install. I wouldn’t be too afraid to delete that Temp folder.

But first let us look at the logs.

DeathStalker77 · September 30, 2014, 3:09am

The logs flagged 417 items as suspicious, but none of them indicate blocked or quarantined. Looking at the size of the files, some of them are up to 37+gb, which makes no sense.

I looked at the log entries, and checked the locations of the files on my drives, and the files that were “detected” are all still there.

What about this - I am able to move the files (though they move VERY slowly, as compared to “normal” files) - if I uninstall/re-install Comodo, and then put them BACK in the folder, will Comodo automatically find them? Or does it just display the items based on the pre-generated log?

I do NOT like deleting this much data without knowing WHAT it is and HOW it got there.

DeathStalker77 · September 30, 2014, 10:20am

So I re-installed Comodo, deselecting Antivirus, since that the only choices were the firewall or the av - that DID wipe out the Quarantine folder. I tried copying some of the moved files back in and it still does not recognize them.

I am going to be SERIOUS PO’d if this program cannot recover these enough to tell me what the heck they were! This is a MAJOR issue imho.

Citizen_K · September 30, 2014, 3:56pm

Nothing was quarantined or removed. That

What about this - I am able to move the files (though they move VERY slowly, as compared to "normal" files) - if I uninstall/re-install Comodo, and then put them BACK in the folder, will Comodo automatically find them? Or does it just display the items based on the pre-generated log?
I do NOT like deleting this much data without knowing WHAT it is and HOW it got there.

None of the flagged files were moved to quarantine. Nothing was changed on your system.

The big amount of data in the Quarantine folder certainly is an anomaly but from your reports there were no changes made to your system.

With the latter in mind you could erase the data. This is an unknown anomaly of which I do not know the cause. To learn the cause we would have to keep an eye what’s happening from a clean slate and see what happens with false positive detections and cross reference that with date and time of files written to the Quarantine folder. Then we might be able to see a pattern and call it a bug.