Files in .quarantine folder flagged as infected by ImmunifyAV

grindlay

Well-Known Member
Dec 8, 2004
58
5
158
Edinburgh, Scotland
cPanel Access Level
Root Administrator
I'm running the ImmunifyAV WHM plugin and have been for a while. Yesterday it scanned all my accounts in /home*/* and found a number of infected files. These are all in /home/user/.quarantine. They were easy to delete and subsequent manual scans showed clean.
My question is: what application creates the .quarantine folder - is it cPanel or the ImmunifyAV plugin? If there are files in /home/user/.quarantine, how do they get there - presumably they are scanned (by mod_security/CXS/Immunify) and identified as malicious, but did they originate from real infected files in the user's dir?
Appreciate any clarification on this, thanks.
 

grindlay

Well-Known Member
Dec 8, 2004
58
5
158
Edinburgh, Scotland
cPanel Access Level
Root Administrator
thank you - that's very helpful. I'm trying to back-trace the infection to find out if I got hit by some vulnerability but not knowing the original source file makes this quite hard. I guess it will be in the Immunify log files somewhere so I'll try that next.