{"id":14908,"date":"2025-10-29T00:21:37","date_gmt":"2025-10-29T06:21:37","guid":{"rendered":"https:\/\/www.supportpro.com\/blog\/?p=14908"},"modified":"2025-10-29T00:23:12","modified_gmt":"2025-10-29T06:23:12","slug":"how-to-restore-safe-files-flagged-by-cpguard-false-positives-fix","status":"publish","type":"post","link":"https:\/\/www.supportpro.com\/blog\/how-to-restore-safe-files-flagged-by-cpguard-false-positives-fix\/","title":{"rendered":"How to Restore Safe Files Flagged by CPGuard (False Positives Fix)"},"content":{"rendered":"\n<p>If you\u2019ve been running CPGuard for a while, you\u2019ve probably seen it happen that a clean file gets flagged as \u201cinfected.\u201d<br>Don\u2019t panic. It doesn\u2019t mean your site\u2019s hacked. It\u2019s just a <strong>false positive<\/strong>, and even the best malware scanners do that sometimes.<\/p>\n\n\n\n<p>The good news? CPGuard gives you full control through its <strong>command-line tool<\/strong>, so you can check what got caught, verify it\u2019s clean, and bring it back in just a few commands.<\/p>\n\n\n\n<p>Here\u2019s how I usually handle it when it happens on a client\u2019s server.<\/p>\n\n\n\n<!--more-->\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 1: Check What Got Quarantined<\/strong><\/h3>\n\n\n\n<p>When CPGuard thinks a file is risky, it doesn\u2019t delete it right away \u2014 it moves it into a quarantine folder for safety.<br>To see what\u2019s sitting there, run:<\/p>\n\n\n\n<p>cpguard &#8211;list-quarantine<\/p>\n\n\n\n<p>You\u2019ll get a list of files that CPGuard has isolated, along with the reason it was flagged and the date.<br>Scroll through the list and note the filename that looks suspicious or one you\u2019re sure should be safe.<\/p>\n\n\n\n<p><em>(If you manage multiple sites on the same server, this command helps you spot what\u2019s been flagged where.)<\/em><\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 2: Make Sure the File\u2019s Actually Clean<\/strong><\/h3>\n\n\n\n<p>Don\u2019t restore the file right away. Take a minute to check it. Sometimes a real infection hides behind something that looks familiar.<\/p>\n\n\n\n<p>Here\u2019s what I usually do:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.supportpro.com\/freecheckup.php\" title=\"\">Scan <\/a>the file using another antivirus or malware tool.<\/li>\n\n\n\n<li>Upload it to some<a href=\"https:\/\/www.supportpro.com\/freecheckup.php\" title=\"\"> malware scanner <\/a>for a second opinion.<\/li>\n\n\n\n<li>Look at its location. If it\u2019s part of the CMS or plugin folder and know it hasn\u2019t changed recently, it\u2019s probably safe.<\/li>\n<\/ul>\n\n\n\n<p>If everything looks clean and consistent, move on to restoring it.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 3: Restore the File<\/strong><\/h3>\n\n\n\n<p>Once you\u2019re sure it\u2019s safe, use this command to restore it:<\/p>\n\n\n\n<p>cpguard &#8211;restore &lt;filename&gt;<\/p>\n\n\n\n<p>Example:<\/p>\n\n\n\n<p>cpguard &#8211;restore index.php<\/p>\n\n\n\n<p>This command pulls your file out of quarantine and puts it back in the same spot where it was before. It usually works instantly. You can double-check with the ls command to make sure it\u2019s back in place.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Step 4: Run a Quick Scan Afterward<\/strong><\/h3>\n\n\n\n<p>After restoring, it\u2019s smart to run a fresh scan \u2014 just to be sure CPGuard doesn\u2019t catch it again or something else isn\u2019t lurking nearby.<\/p>\n\n\n\n<p>cpguard &#8211;scan now<\/p>\n\n\n\n<p>If your restored file doesn\u2019t show up in the results this time, you\u2019re good to go. It\u2019s always better to confirm than assume.<\/p>\n\n\n\n<p>Plus, if you\u2019re certain it was a false alarm, it\u2019s worth reporting it to the <strong>CPGuard support team<\/strong>.<br>Send them the log entry or even the file sample. They\u2019ll review it and, if needed, adjust their detection rules so it doesn\u2019t trigger again.<br>It helps everyone using CPGuard in the long run.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Quick Reference Table<\/strong><\/h3>\n\n\n\n<figure class=\"wp-block-table\"><div class=\"pcrstb-wrap\"><table class=\"has-fixed-layout\"><tbody><tr><td><strong>Task<\/strong><\/td><td><strong>Command<\/strong><\/td><\/tr><tr><td>List quarantined files<\/td><td>cpguard &#8211;list-quarantine<\/td><\/tr><tr><td>Restore a file<\/td><td>cpguard &#8211;restore &lt;filename&gt;<\/td><\/tr><tr><td>Add an exclusion path<\/td><td>cpguard &#8211;exclude add &lt;path&gt;<\/td><\/tr><tr><td>List all exclusions<\/td><td>cpguard &#8211;exclude list<\/td><\/tr><tr><td>Run a scan<\/td><td>cpguard &#8211;scan now<\/td><\/tr><\/tbody><\/table><\/div><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Wrapping It Up<\/strong><\/h3>\n\n\n\n<p>False positives are annoying, but they\u2019re nothing new. Every <a href=\"https:\/\/www.supportpro.com\/freecheckup.php\" title=\"\">scanner<\/a>, even enterprise-grade ones \u2014 makes a mistake now and then. The key is knowing how to fix it without breaking your site. With CPGuard\u2019s <a href=\"https:\/\/www.supportpro.com\/blog\/how-to-use-cpguard-cli-for-powerful-server-protection\/\" title=\"\">CLI<\/a>, it only takes a few steps: find the quarantined file, double-check it, restore it, and confirm with a quick scan. No downtime, no drama, just back to normal.<\/p>\n\n\n\n<p>If you work with <a href=\"https:\/\/www.supportpro.com\/softwareinstallation.php\" title=\"\">multiple servers<\/a> or clients, keep this guide bookmarked. Also, contact the <a href=\"https:\/\/www.supportpro.com\/softwareinstallation.php\" title=\"\">SupportPRO <\/a>for further assistance. You\u2019ll probably need it again sooner or later.<\/p>\n\n\n\n<div class=\"wp-block-media-text alignwide has-media-on-the-right is-stacked-on-mobile is-vertically-aligned-center has-white-background-color has-background\"><div class=\"wp-block-media-text__content\">\n<p class=\"has-large-font-size\">Facing issues? <\/p>\n\n\n\n<p class=\"has-large-font-size\">Our technical support<br>engineers can solve it. <\/p>\n\n\n\n<!--HubSpot Call-to-Action Code --><span class=\"hs-cta-wrapper\" id=\"hs-cta-wrapper-3350a795-db50-482f-9911-301930d1b1be\"><span class=\"hs-cta-node hs-cta-3350a795-db50-482f-9911-301930d1b1be\" id=\"hs-cta-3350a795-db50-482f-9911-301930d1b1be\"><!--[if lte IE 8]><div id=\"hs-cta-ie-element\"><\/div><![endif]--><a href=\"https:\/\/cta-redirect.hubspot.com\/cta\/redirect\/2725694\/3350a795-db50-482f-9911-301930d1b1be\" ><img decoding=\"async\" class=\"hs-cta-img\" id=\"hs-cta-img-3350a795-db50-482f-9911-301930d1b1be\" style=\"border-width:0px;\" src=\"https:\/\/no-cache.hubspot.com\/cta\/default\/2725694\/3350a795-db50-482f-9911-301930d1b1be.png\"  alt=\"Contact Us today!\"\/><\/a><\/span><script charset=\"utf-8\" src=\"https:\/\/js.hscta.net\/cta\/current.js\"><\/script><script type=\"text\/javascript\"> hbspt.cta.load(2725694, '3350a795-db50-482f-9911-301930d1b1be', {\"useNewLoader\":\"true\",\"region\":\"na1\"}); <\/script><\/span><!-- end HubSpot Call-to-Action Code -->\n<\/div><figure class=\"wp-block-media-text__media\"><img fetchpriority=\"high\" decoding=\"async\" width=\"904\" height=\"931\" src=\"https:\/\/www.supportpro.com\/blog\/wp-content\/uploads\/2022\/09\/Free-server-checkup.png\" alt=\"guy server checkup\" class=\"wp-image-12943 size-full\" srcset=\"https:\/\/www.supportpro.com\/blog\/wp-content\/uploads\/2022\/09\/Free-server-checkup.png 904w, https:\/\/www.supportpro.com\/blog\/wp-content\/uploads\/2022\/09\/Free-server-checkup-291x300.png 291w, https:\/\/www.supportpro.com\/blog\/wp-content\/uploads\/2022\/09\/Free-server-checkup-768x791.png 768w, https:\/\/www.supportpro.com\/blog\/wp-content\/uploads\/2022\/09\/Free-server-checkup-585x602.png 585w\" sizes=\"(max-width: 904px) 100vw, 904px\" \/><\/figure><\/div>\n","protected":false},"excerpt":{"rendered":"<p>If you\u2019ve been running CPGuard for a while, you\u2019ve probably seen it happen that a clean file gets flagged as \u201cinfected.\u201dDon\u2019t panic. It doesn\u2019t mean your site\u2019s hacked. It\u2019s just&hellip;<\/p>\n","protected":false},"author":4,"featured_media":14909,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_lmt_disableupdate":"","_lmt_disable":"","footnotes":""},"categories":[169,316,181,4,332],"tags":[],"class_list":["post-14908","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-dedicated-servers","category-security","category-server-checkup","category-server-security","category-troubleshooting"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/posts\/14908","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/comments?post=14908"}],"version-history":[{"count":1,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/posts\/14908\/revisions"}],"predecessor-version":[{"id":14910,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/posts\/14908\/revisions\/14910"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/media\/14909"}],"wp:attachment":[{"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/media?parent=14908"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/categories?post=14908"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.supportpro.com\/blog\/wp-json\/wp\/v2\/tags?post=14908"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}