Jump to content
PabloH

Restore from quarantine fail

Recommended Posts

Hello everybody, I'm new in the forum. The av is detecting some files as PUA and it send them to quarantine. 

The problem is when I try to restore them, the action fail. 

Details:

_ I run the action as admin, so I have privileges. 

_ The action is performed with the same OS user account the av detect the PUA.

_ The action is realized some minutes after the files are send to quarantine.

_ I browse the quarantine directory and it has the files.

_ Endpoint version: 7.1.20.53.0

_ OS version: Windows 7 Professional

 

Thanks in advance.

Share this post


Link to post
Share on other sites
13 minutes ago, PabloH said:

The action is realized some minutes after the files are send to quarantine.

Are you stating that the file upon being restored from quarantine later is again detected as a PUA and placed back into quarantine? If so, this is desired behavior since real-time protection re-scanned the file. The file needs to be excluded from real-time scanning either prior to restoration from quarantine or immediately thereafter.

Share this post


Link to post
Share on other sites

Marcos, thanks for reply. I attach the log file with some filters (Windows processes, and others), If you need the whole file please send me and email to send it.

 

Thanks

 

 

Share this post


Link to post
Share on other sites

The log doesn't contain any useful records. There was no single record containing "quarantine". Please do not apply any filter.

Share this post


Link to post
Share on other sites
1 hour ago, itman said:

Are you stating that the file upon being restored from quarantine later is again detected as a PUA and placed back into quarantine? If so, this is desired behavior since real-time protection re-scanned the file. The file needs to be excluded from real-time scanning either prior to restoration from quarantine or immediately thereafter.

Itman, thanks for reply. I tried with anothers sane files and the result is the same.

Thanks

Share this post


Link to post
Share on other sites
50 minutes ago, Marcos said:

The log doesn't contain any useful records. There was no single record containing "quarantine". Please do not apply any filter.

Marcos, do that expose some sensitive data. Any alternative?

Thanks

Share this post


Link to post
Share on other sites

I just restored a previous PUA detection from quarantine in EIS ver. 13.0.24. It restored w/o issue. It is restored to its original detected directory and is no longer present in Eset quarantine.

So if this is an issue, it must be in Endpoint versions only which I somewhat doubt.

Share this post


Link to post
Share on other sites

Here's a thought.

Does the location; i.e. full original directory path, where the PUA was originally detected still exist? Eset may have an issue with quarantine restoration if this is the case.

-EDIT- Nope. Just tested this and Eset will recreate the required directory path if necessary.

Edited by itman

Share this post


Link to post
Share on other sites
15 minutes ago, itman said:

I just restored a previous PUA detection from quarantine in EIS ver. 13.0.24. It restored w/o issue. It is restored to its original detected directory and is no longer present in Eset quarantine.

So if this is an issue, it must be in Endpoint versions only which I somewhat doubt.

Yes, this product is endpoint 7 for business.

 

13 minutes ago, itman said:

Here's a thought.

Does the location; i.e. full original directory path, where the PUA was originally detected still exist? Eset may have an issue with quarantine restoration if this is the case.

I restore to an existing folder and I try to use "restore to.." option too. The first show a fail message, the other don't show any.

 

 

 

Share this post


Link to post
Share on other sites
1 minute ago, PabloH said:

the other don't show any.

Was the file restored?

Share this post


Link to post
Share on other sites
5 minutes ago, itman said:

Was the file restored?

In any case the file was restored.

I'm using Remote Administrator and I have some folder exclusions. But any other policies are configured.

 

Thanks again.

Share this post


Link to post
Share on other sites
2 hours ago, PabloH said:

Marcos, do that expose some sensitive data. Any alternative?

Attachments that you upload here are accessible only to ESET staff. Moreover, a Procmon log shouldn't contain any extra sensitive data. It could contain user profile folders or some plain text values in the registry but I don't consider it confidential to such a degree that ESET staff shouldn't see it. Or am I missing something?

Share this post


Link to post
Share on other sites

Here's the log file. I hope it helps.

It begins before I open quarantine option and ends when the message "Restore fail" appears.

 

Thanks.

Logfile.zip

Share this post


Link to post
Share on other sites

Unfortunately there is no single attempt (neither a failed one) to save a file from quarantine. Please post some screen shots to clarify what you actually did. You can use the system application Steps recorder to generate an archive with screen shots and particular steps that you took.

Share this post


Link to post
Share on other sites

I'm wondering if this is a directory permissions issue. Whereas Eset was able to delete from the source directory, it is somehow blocked from writing to the source directory. Note that the OP was able to restore the file from quarantine to a different location.

Perhaps the OS has a write lock on this directory?

Or when Eset originally quarantined the file, it physically did not exist it that directory; i.e. Eset caught it on download or on write attempt to the target directory from another storage location. In other words existing directory permissions would have prevented the file creation in the first place.

Edited by itman

Share this post


Link to post
Share on other sites

There was not even an attempt to write a file from quarantine to a disk so permission issues can be ruled out. Maybe knowing the path and the file name would shed more light. @PabloH, please provide logs collected with ESET Log Collector but select also "quarantined files" to be collected and let us know which of the quarantined files you attempted to restore.

Share this post


Link to post
Share on other sites

Hi. I have good news. Finally I restored the files has been quaratined. I did it from management center without any problem. 

I'dont know if this is the way, but it solved the problem. 

Thanks so much.

 

Share this post


Link to post
Share on other sites

I have a similar problem. I'm using Linux but the concept should still be the same and I'd love to understand what is going on. My Eset quarantines several files during a scan. I try to restore them and it says that the file already exists (in the original location) and fails or it prompts to overwrite the file already there and works but doesn't make sense. It just depends on the file as to which option it gives me. Any comments?

Share this post


Link to post
Share on other sites

If quarantining fails on Linux, please contact customer care and provide them with the pair of ndf/nqf files you want to restore as well as a listing of permissions for the target folder as well as logs collected as per https://support.eset.com/en/kb6159-run-the-info-getcommand-on-a-linux-virtual-machine-and-send-the-logs-to-eset-technical-support. Make sure a file with the same name doesn't exist; not sure if ESET for Linux asks to replace it.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...