Support

Site Restoration

#35462 ClamAV quarantines files on kickstart restore

Posted in ‘Site restoration’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

PHP version
n/a
CMS Type
Other
CMS Version
n/a
Backup Tool Version
n/a
Kickstart version
n/a

chandigital

I am unable to restore my Joomla site to my NameCheap shared hosting account because ClamAV (on NameCheap) is detecting several of the sql site files as malicious and is quarantining them. As a result the database restore portion of kickstart is failing with a HTTP 500 error. When it retries, it reports the affected site.sNNN files as missing and cannot proceed.

See attached screenshot

Any suggestions on how to best handle this? NameCheap cannot / will not disable ClamAV for shared hosting.

chandigital

Could an admin please remove the screenshot I had previously attached? It contains sensitive info that I should not have attached.

The email that I received from Namecheap contains the following lines:

We have put the following content into quarantine as we believe it contains viruses or other malicious code. If you feel this has been in error and 
your file is false-positive (innocent), please submit a ticket to us at https://support.namecheap.com/index.php?/Tickets/Submit or contact 
the Live Help at http://www.namecheap.com/support/livesupport.aspx and we will be happy to assist:

  	'ClamAV detected virus = [YARA.eval_post.UNOFFICIAL]':    /home/.../public_html/installation/sql/site.s163
	'ClamAV detected virus = [YARA.eval_post.UNOFFICIAL]':    /home/.../public_html/installation/sql/site.s164
	'ClamAV detected virus = [YARA.eval_post.UNOFFICIAL]':    /home/.../public_html/installation/sql/site.s165

   
--
  Regards,
  NameCheap Hosting Team

nicholas
Akeeba Staff
Manager

Extract the backup archive file locally. You can set up a local web server such as MAMP, WAMPServer, XAMPP etc to run Kickstart on your computer to extract the backup archive. Do NOT click on the “Run the installer” button. When you see that just close the browser tab with Kickstart. Next up, delete kickstart.php and the backup archive from your local server. Upload everything else to your live server. This will take several hours since you're transferring thousands of small files. It typically takes between 2 and 8 hours for a relatively small file to upload as individual files, as opposed to the few minutes it takes uploading a backup archive.

If they quarantine the files you upload manually then you will need to change hosts. Do note that Joomla itself (and WordPress, and Drupal and everything else) includes SQL files for installing itself. If they are quarantining all SQL files you upload manually you can't even install a new site manually which makes it a rather useless host.

IMHO, NameCheap is only good for domain names. Their other services are bottom of the barrel quality with a price that doesn't match the service quality offered. 

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

chandigital

Thanks for your reply. Assuming I am able to successfully upload the files, how can I continue the restore process without the kickstart php file? Doesn't the database need to be imported into the database from the site.s* files?

BTW, can the uploaded file in the original ticket be removed? It contains sensitive data.

 

nicholas
Akeeba Staff
Manager

Kickstart is not a restoration script, it's merely an archive extraction tool. The actual restoration script is put in the backup archive at backup time, in the installation directory. The installation directory is special. If it exists, Joomla will redirect you to it when you try to access your site.

Therefore, after uploading your files, you can just try to access your site. You will be redirected to /installation/index.php where you'll see the first page of ANGIE, the site restoration script.

Just one note. After extracting the files locally do remember to rename the .htaccess file (if it exists!) to htaccess.bak to avoid any issues when restoring the site.

PS: All attachments, even in public tickets, are visible ONLY to the person who filed the ticket and our support staff. Copy the URL to your ticket, log out from the site and try to access the ticket URL again. No attachments! Magic :) This is one of the features which are unique to our Akeeba Ticket System helpdesk software.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

chandigital

Thank you for taking time to provide your excellent support and detailed explanations! 

It appears that the NameCheap ClamAV setup was having issues with the contents of certain SQL site.sNNN files that contained insert statements for the #__admintools_log table. ClamAV would quarantine them within a minute of my uploading these files not based on a file signature (I tried modifying the files by inserting extra spaces to force a change the signature) but possibly through regex string matching. It's ironic that the files containing log records of blocked intrusion attempts got quarantined. I was able to work around the issue by merely creating blank files with matching names of the affected files.  

nicholas
Akeeba Staff
Manager

Okay, that does actually make sense. This also gives us a good way to avoid this problem in the future.

You do not need to back up the contents of the #__admintools_log table; these are not useful when restoring or transferring a site. So, for each backup profile, exclude the contents of that table (second button from the left, labeled “Exclude contents”) in the Database Table Exclusion page of Akeeba Backup.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: Typically we work Monday to Friday, 9am to 7pm Cyprus timezone (EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets, but we cannot respond to them, outside of our working hours.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!

Summer vacations: Our support will be closed for replies and new tickets from August 6th to August 21st, 2022 due to summer vacations.