Files in .quarantine folder flagged as infected by ImmunifyAV

[grindlay]

I'm running the ImmunifyAV WHM plugin and have been for a while. Yesterday it scanned all my accounts in /home*/* and found a number of infected files. These are all in /home/user/.quarantine. They were easy to delete and subsequent manual scans showed clean.
My question is: what application creates the .quarantine folder - is it cPanel or the ImmunifyAV plugin? If there are files in /home/user/.quarantine, how do they get there - presumably they are scanned (by mod_security/CXS/Immunify) and identified as malicious, but did they originate from real infected files in the user's dir?
Appreciate any clarification on this, thanks.

 

[cPanelAnthony]

Hello! This directory would be used by ClamAV and ImunifyAV. When a scan is ran and the option for quarantining files is enabled, malicious files will get moved to this quarantine directory for further review. They are supposed to originate from real infected files as well.

 

[grindlay]

thank you - that's very helpful. I'm trying to back-trace the infection to find out if I got hit by some vulnerability but not knowing the original source file makes this quite hard. I guess it will be in the Immunify log files somewhere so I'll try that next.