Staj 5 Posted December 21, 2016 Share Posted December 21, 2016 (edited) We would like to start quarantining all detected threats regardless of where they originated (filesystem, web, email etc.). We keep getting into situations where ESET is able to block sophisticated threats through heuristics but then we have no samples to send off for forensic analysis (internally or otherwise because it's been 'cleaned'. Is this possible in versions 5 and/or 6? A Threat entry in a log just doesn't cut it these days. Edited December 21, 2016 by Staj Link to comment Share on other sites More sharing options...
ESET Staff MichalJ 434 Posted December 21, 2016 ESET Staff Share Posted December 21, 2016 Hello Staj, what tools / products / services, are you using for the forensic analysis? And what is the desired output of such? As of now, setting like you want is not possible within Endpoint products. If you set it to "NO Cleaning" it will display an interactive window, that will ask user for action, which might not be what you want. It is not possible to configure "action to take, when cleaning not possible / done" like in case of Mail Security products (for processed mails). So to understand you, even when the file has been cleaned / deleted, you still expect the option to put a "copy" of the file, to the quarantine, right? Link to comment Share on other sites More sharing options...
Staj 5 Posted December 21, 2016 Author Share Posted December 21, 2016 15 minutes ago, MichalJ said: So to understand you, even when the file has been cleaned / deleted, you still expect the option to put a "copy" of the file, to the quarantine, right? We'd like to, yes. Link to comment Share on other sites More sharing options...
Staj 5 Posted July 6, 2017 Author Share Posted July 6, 2017 (edited) It's my understanding a Feature Request was added for this, has there been any movement on this? The lack of this feature has hampered yet another one of our investigations. The inability to obtain and quarantine forensic samples of non-filesystem objects hampers our ability to cooperate with government CERT organisations when investigating attacks that ESET Endpoint does manage to detect. Edited July 6, 2017 by Staj clarification Link to comment Share on other sites More sharing options...
Recommended Posts