Quarantine Files Overview

Version 3

    Purpose

     

    Give some information on Quarantine files and how to restore them if desired.

     

    Overview

    Information

     

    Key Points

    • Only Manager and Administrator allowed to delete and or restore files. The user must be member of AV_QUARANTINE_MANAGE role in order to perform either of the operations
    • Every other user can view the quarantine items as long as they are member of the AV_QUARANTINE_ACCESS
    • The report defaults to 90 days of records. If there is requirement to change this then alter the date filter.
    • Users can filter/Sort/Group records
    • The grid is driven by filename. So in situations where a file is quarantined across multiple endpoints the filename will appear once only in the grid. Should the user decided to expand the row the child rows will display the endpoints affected by the quarantined file.
    • Endpoints affected - total number of endpoints which have this file quarantine based on the filter properties selected.
    • Last detection date – displays the last detection date of the virus in UTC.
    • Virus name - name of the virus affecting the file.
    • spAV_AlertsList
    • Data is stored in number of tables. The primary one been EndPointAVAlert in UPCCommon database.
    • The quarantine location is C:\ProgramData\HEAT Software\EMSSAgent\data\persist\live\AV\quarantine.
    • If files are loaded and cannot be altered then they will fail to make it into quarantine. The reason is some processing occurs on the file and its encrypted. If this operation is not allowed then the entire quarantine process for this file is rolled back.
    • Some processing takes place on the file when it is moved to the quarantine location. Therefore the file shouldn’t be open in another application etc otherwise it can’t make it into quarantine.

     

    Delete/Restore

    • The delete is soft delete. When user clicks on delete and the action is successful the record should then move from the central Quarantine page to the Virus and Malware Event alerts page.
    • The procedure that performs the delete is spAV_GetSetPendingRestoreDeleteAlerts. The procedure updates the status of the record and triggers “AV Pending Restore Delete” datagramtype which is picked up by EDS service from the event queue table EDSEventQueue.
    • EDS sends the request to the endpoint.
    • Restore is similar to delete. See below for details on how to restore.
    • The Audit log is stored in the table AuditLog.
    • The server also writes to the eds log file edsrolling_AVController.AvController which is located under the install directory/Endpoint distribution Services/Logs
    • For files to be move
    • The delete may fail because of:
      • Hardening is off and the file is open in an application
    • The restore may fail because of:
      • There is already a file with the same name in the location where the file is to be restored to
      • Hardening is off and the file is open in an application

    Filtering

    • Designed to behave similar to other pages on the screen such as the virus and alters page
    • Filters are applied after clicking the update button. The filters selections are stored in the database so that they can be restored after each page refresh.
    • It is possible to filter base on filename of path using the same textbox. The logic that makes this decision is in the stored procedure.

    Endpoint

    • There are no changes to the endpoint EPUI for CQ
    • The process whereby the items are put into quarantine depends on the AV policy on the server. Real time scan will put the items immediately in quarantine. Recurring scan will process them when the scan occurs.
    • The Endpoint must have policy assigned before a user can kick off a scan locally.

     

    Offline endpoints:

    • PendingRestore/PendingDelete message is alive on the EDS for 20 minutes.(NOTE restarting EDS/Server kills the PendingRestore/PendingDelete message), if endpoints comes alive within this time window it receives the message.
    • If endpoint comes alive after 20 minutes (when the message is no longer alive on the BUS), then it(the endpoint) communicates with the Server and request any PendingRestore/PendingDelete messages)

    About messages in general

    • Each time PendingRestore/PendingDelete is being called from the server the DB is being checked for both PendingRestpre/PendingDelete statuses in the dbo.EndpointAVAlert.
    • Separate files are being created for Restore and Delete and can be found in on the server at default : C:\Program Files (x86)\HEAT Software\EMSS\Content\EDSAgents\{ENDPOINT GUID}

    Known Issue

    if the server (EDS) sends a message and the endpoint is offline, if it comes online it should receive the message. This is within a configured time, the default is 20 minutes . When the endpoint is offline, the tray icon goes grey and if you put the mouse over the icon it will tell you that the endpoint is offline. There is a time duration for the greying out to happen approx. 2 minutes.

     

    The following steps break the auto-retry mechanism in the bus for the CQ messages.

    1. 1.            Have an endpoint and server talking to each other, the standard setup with AV.
    2. 2.            Disable the network card on the endpoint PC
    3. 3.            Using the server GUI send a restore or a delete
    4. 4.            Wait for a few seconds for the datagram to turn into an actual endpoint message
    5. 5.            Before the tray icon would go to grey on the endpoint enable the network card

    The EDS message will not be delivered. I believe but I am not convinced that a new policy would trigger the message to be resent. Definitely a restart of LMAgent would get the message to the endpoint and the action would be carried out.

     

    How to restore a Quarantine File

     

     

    Short answer: Very likely the same real-time monitoring policy that placed the file in quarantine in the first place is preventing the user from restoring it. As soon as the user restores the file, it is yanked back into quarantine again by the real-time monitor.

     

    Long answer

     

    1. Exclude the folder from the real-time monitoring policy.
    2. First, check the Quarantine to see where the original location of the file was:
    3. Edit the real-time monitoring policy assigned to this endpoint:
    4. Add the new path in the “Exclude files or paths” section of the wizard:
    5. Confirm the edit by expanding the policy in the policies page:
    6. select the file to restore, click “Save As...” and follow through the dialog to place the file elsewhere on the computer
    7. File is saved:

     

     

    Affected Product(s)

     

    EMSS