Threatsense parameters

[novice 20]

There are three options:

No cleaning

Normal Cleaning

Strictly cleaning

 

Which one will automatically quarantine a detected item??

I just want to quarantine, to review later and decide.

[itman 1,739]

The difference between normal and strict cleaning is normal mode an alert will be displayed if the threat can't be removed for some reason. Both modes will auto quarantine as far as I am aware of.

[novice 20]

I do not understand the term "cleaning"

If a file is altered by a virus, an antivirus performing "cleaning" would try to remove the "virus" part from the file , but preserve the file itself.

This is called cleaning.

On the other hand if a file is altered by a virus, an antivirus can simply delete the whole file or quarantine the whole file.

So, which one is which????

[Marcos 5,228]

To clean a file means to:

1, sanitize the virus code in the file (in case of viruses)
2, delete the file in case of other malware, PUAs, etc.
3, reset changes made by the malware in the registry.

[novice 20]

So, If I just want to automatically Quarantine the items, to give me the possibility to analyze it later, which option do I choose?

[Marcos 5,228]

It's not possible just to make a copy of a file in quarantine without taking an action (clean/delete).

[novice 20]

 

31 minutes ago, Marcos said:

It's not possible just to make a copy of a file in quarantine without taking an action (clean/delete).

So , if you "clean" it , there is no reason to quarantine it anymore because is clean, but the original file is lost.

If you "delete it", there is nothing left to quarantine  because is gone and again the original file is lost.

So, what is "Quarantine" for?????

I do not get it ; this is the purpose of Quarantine for each and every antivirus I used so far: to preserve the "removed" item the way it is, to give you the possibility to restore it in case of a FP, to analyze it further  or to submit it  to be analyzed.

Edited November 15, 2017 by John Alex

[peteyt 395]

1 hour ago, John Alex said:

 

So , if you "clean" it , there is no reason to quarantine it anymore because is clean, but the original file is lost.

If you "delete it", there is nothing left to quarantine  because is gone and again the original file is lost.

So, what is "Quarantine" for?????

I do not get it ; this is the purpose of Quarantine for each and every antivirus I used so far: to preserve the "removed" item the way it is, to give you the possibility to restore it in case of a FP, to analyze it further  or to submit it  to be analyzed.

I think delete might move it to the quarantine rather than just delete it. A bit like the recycle bin. Not 100 percent sure though.

[Marcos 5,228]

Before an action is taken (clean or delete), a copy of the original file is stored in a safe form in quarantine. This is exactly what "quarantine" means.

[itman 1,739]

I believe the confusion here is some AV solutions will delete in certain circumstances w/o quarantine, etc.. As such, some provide a separate GUI setting to specify quarantine action. Since this option is not provided in Eset, I assumed and @Marcos confirmed that Eset will always quarantine prior to further remediation activity.

[novice 20]

Still I do not get it:

If I have an infected file, let's say "C / Program files / infected.exe" , and ESET is able to disinfect it.

Now , being disinfected, will be left in the same location as "C / Program files / infected.exe" . At the same time , the original file will be moved to Quarantine , as "C / Program files / infected.exe "

I will end up having 2 identical files, one "disinfected" in original location and one "infected" in Quarantine. Will be hard to say , after a while, why the same file is in 2 locations .

MSE has a very elegant solution to this: in History , you have  three distinct categories: "detected items" , "quarantined items" and "restored items"  

[itman 1,739]

1 hour ago, John Alex said:

Now , being disinfected, will be left in the same location as "C / Program files / infected.exe" . At the same time , the original file will be moved to Quarantine , as "C / Program files / infected.exe "

Disinfecting can have an adverse effect on the process. The malware might be removed but the process is no longer fully function as a result of the procedure. If it is later determined the detection was a false positive, the process can then be restored from quarantine.

[novice 20]

45 minutes ago, itman said:

Disinfecting can have an adverse effect on the process

This is not the point!

1 hour ago, John Alex said:

I will end up having 2 identical files, one "disinfected" in original location and one "infected" in Quarantine. Will be hard to say , after a while, why the same file is in 2 locations 

This is the point: 2 identical files, one "disinfected" in original location and one "infected" in Quarantine

[illumination 5]

1 hour ago, John Alex said:

This is not the point!

This is the point: 2 identical files, one "disinfected" in original location and one "infected" in Quarantine

What they are trying to state here is, that when Eset disinfects/deletes the original file, it places a copy of the file in quarantine, so if the original file disinfected or deleted turns out to be a false positive, it can be restored from quarantine. Not only can it be restored from quarantine but the options are there to restore/restore and exclude from further scans/ and to delete it from quarantine. If the file is not a false positive the user can simply delete it from quarantine and move on. 

[Marcos 5,228]

4 hours ago, John Alex said:

This is the point: 2 identical files, one "disinfected" in original location and one "infected" in Quarantine

The files would not be identical since the one in quarantine would be infected while the one at the original location would be clean.

[novice 20]

5 hours ago, Marcos said:

The files would not be identical since the one in quarantine would be infected while the one at the original location would be clean.

And how anyone would see the difference?

Both of them will have the same path and the same name.( one in Quarantine, infected and one in original location, cleaned)

[Marcos 5,228]

1 hour ago, John Alex said:

And how anyone would see the difference?

Both of them will have the same path and the same name.( one in Quarantine, infected and one in original location, cleaned)

Files in quarantine were detected by ESET so they are malicious unless a false positive was detected. I don't see any problem with the patch and file name being the same. Normally users should not touch files in quarantine and if other files on disks are not detected, they should be considered clean.

[novice 20]

3 minutes ago, Marcos said:

I don't see any problem with the patch and file name being the same

I installed NOD 32 on all family members; when I visit, I take a look on whatever is in "Quarantine" ; if a file is both in Quarantine and on original location (at least a file with the same name) this can be very confusing.

1. did ESET restore the file after a signature database?

2.the file restored by itself?

3.it is a recurring problem?

I am quite sure this can be done better.

[Marcos 5,228]

We do not normally restore files from quarantine automatically. If a file is restored, it will be removed from quarantine as well.

[illumination 5]

14 minutes ago, John Alex said:

I installed NOD 32 on all family members; when I visit, I take a look on whatever is in "Quarantine" ; if a file is both in Quarantine and on original location (at least a file with the same name) this can be very confusing.

1. did ESET restore the file after a signature database?

2.the file restored by itself?

3.it is a recurring problem?

I am quite sure this can be done better.

If you are looking in quarantine and finding items, and then seeing the original files still intact on the system, those files have been disinfected. With Eset, i have yet to find a false positive, but one can usually tell if they find an entry in quarantine and the application it belongs to is now broken/corrupted, will not launch ect. The user can always upload the file to Virus Total to cross check its validity, or they may if they wish to pursue it further, upload it to an automated sandbox malware analysis site to analyze it further. Unless you find something broken on the system, it is safe to assume eset has done its job as intended and those entries in quarantine can be viewed as a log. If the file has been disinfected as stated above, the user can safely delete those entries in quarantine. 

[itman 1,739]

I will say this about Eset's quarantine. I have been using Eset for some time. During that time, Eset only placed one file in quarantine. It was a legit software license key cracker that I used.

So if you're seeing a lot of files in quarantine, it is indicative of "iffy" download activity; most likely occurring prior to Eset being installed. Eset will as rule block files prior or during the download activity. As such, quarantine activity will be next to nil.

[novice 20]

9 hours ago, illumination said:

If you are looking in quarantine and finding items, and then seeing the original files still intact on the system, those files have been disinfected

But why this complicated approach????

When I press "Clean" I should be informed what exactly happened with that file: has been cleaned, has been deleted, has been quarantined.

An user shouldn't be forced to navigate to the original location to see if the file has been cleaned or deleted.

Why is so difficult to implement????

 

[Marcos 5,228]

What is so complicated? If malware is detected, it's cleaned automatically and a copy of the original file is placed in quarantine. It's as simple as it gets. One does not need to open quarantine unless a false positive was reported and the original file needs to be restored.

[novice 20]

5 hours ago, Marcos said:

cleaned automatically

it seems like in 99.99% of the situations  "cleaned automatically" means simply deleted. (and placed in Quarantine)

The terminology is confusing : "strict cleaning", "normal cleaning" "no cleaning" , when in fact should be  "quarantine " automatically or not

"quarantine" with user intervention.

Like any other antiviruses.

 

[Marcos 5,228]

Strict cleaning - all detected files are cleaned automatically, regardless of whether they are PUAs, files infected with uncleanable malware, etc. The user is never prompted for an action.

Standard cleaning - the user is asked for an action if an uncleanable virus or PUA is detected.

No cleaning - the user is always asked for an action before cleaning.