Windows defender (Security) quarantined a PHP file I have been working on and restore doesn't work. I was mapped into one of my servers and Window Security claimed that a text file I've been working (projects.php) on was a virus and quarantined it. This took me by surprise since I'm not in the habit of writing viruses and I don't think I could if I wanted to. Anyway, I saw this file in Protection history and selected the Restore option (and yes, I was very careful to select Restore). It gave me the notice that This threat or app has been allowed and will not be remediated in the future but the file was NOT returned to the location it was before it was quarantined. I looked up where quarantined files are kept (C:\ProgramData\Microsoft\Windows Defender\Quarantine) and I did find some folders and what appears to be an encoded file with the same date/time that the quarantine happened. I assume this is the file I want. Is there any way to decode this?
I also tried a administrator command line option I found from the Windows Defender programs folder:
mpcmdrun -restore -listall
This command did show the projects.php file as quarantined but then I ran this
mpcmdrun -restore -all
This produced an error that there are no quarantined items.
I still can see the encoded? file in the %ProgramData%\Microsoft\Windows Defender\Quarantine folder that has the same date/time that the file was quarantined. I'm hoping this can be manually decoded into my projects.php file but it's currently some kind of binary file 3C9ED6E7DC4FE0132570B6AC0C5D76293CAB6888
Any help getting this file would be appreciated since this is a new development server I spun up and have not yet setup any backup for it so I've lost about a week of development (I accept responsibility for this oversight :-)
- My workstation is Windows 10 Pro, version 1909.
- The server I was mapped to is Windows Server 2012 R2 running as a VM in XCP-NG
