Jump to content

Recommended Posts

Posted

Hello everybody, I'm new in the forum. The av is detecting some files as PUA and it send them to quarantine. 

The problem is when I try to restore them, the action fail. 

Details:

_ I run the action as admin, so I have privileges. 

_ The action is performed with the same OS user account the av detect the PUA.

_ The action is realized some minutes after the files are send to quarantine.

_ I browse the quarantine directory and it has the files.

_ Endpoint version: 7.1.20.53.0

_ OS version: Windows 7 Professional

 

Thanks in advance.

Posted
13 minutes ago, PabloH said:

The action is realized some minutes after the files are send to quarantine.

Are you stating that the file upon being restored from quarantine later is again detected as a PUA and placed back into quarantine? If so, this is desired behavior since real-time protection re-scanned the file. The file needs to be excluded from real-time scanning either prior to restoration from quarantine or immediately thereafter.

Posted

Marcos, thanks for reply. I attach the log file with some filters (Windows processes, and others), If you need the whole file please send me and email to send it.

 

Thanks

 

 

  • Administrators
Posted

The log doesn't contain any useful records. There was no single record containing "quarantine". Please do not apply any filter.

Posted
1 hour ago, itman said:

Are you stating that the file upon being restored from quarantine later is again detected as a PUA and placed back into quarantine? If so, this is desired behavior since real-time protection re-scanned the file. The file needs to be excluded from real-time scanning either prior to restoration from quarantine or immediately thereafter.

Itman, thanks for reply. I tried with anothers sane files and the result is the same.

Thanks

Posted
50 minutes ago, Marcos said:

The log doesn't contain any useful records. There was no single record containing "quarantine". Please do not apply any filter.

Marcos, do that expose some sensitive data. Any alternative?

Thanks

Posted

I just restored a previous PUA detection from quarantine in EIS ver. 13.0.24. It restored w/o issue. It is restored to its original detected directory and is no longer present in Eset quarantine.

So if this is an issue, it must be in Endpoint versions only which I somewhat doubt.

Posted (edited)

Here's a thought.

Does the location; i.e. full original directory path, where the PUA was originally detected still exist? Eset may have an issue with quarantine restoration if this is the case.

-EDIT- Nope. Just tested this and Eset will recreate the required directory path if necessary.

Edited by itman
Posted
15 minutes ago, itman said:

I just restored a previous PUA detection from quarantine in EIS ver. 13.0.24. It restored w/o issue. It is restored to its original detected directory and is no longer present in Eset quarantine.

So if this is an issue, it must be in Endpoint versions only which I somewhat doubt.

Yes, this product is endpoint 7 for business.

 

13 minutes ago, itman said:

Here's a thought.

Does the location; i.e. full original directory path, where the PUA was originally detected still exist? Eset may have an issue with quarantine restoration if this is the case.

I restore to an existing folder and I try to use "restore to.." option too. The first show a fail message, the other don't show any.

 

 

 

Posted
1 minute ago, PabloH said:

the other don't show any.

Was the file restored?

Posted
5 minutes ago, itman said:

Was the file restored?

In any case the file was restored.

I'm using Remote Administrator and I have some folder exclusions. But any other policies are configured.

 

Thanks again.

  • Administrators
Posted
2 hours ago, PabloH said:

Marcos, do that expose some sensitive data. Any alternative?

Attachments that you upload here are accessible only to ESET staff. Moreover, a Procmon log shouldn't contain any extra sensitive data. It could contain user profile folders or some plain text values in the registry but I don't consider it confidential to such a degree that ESET staff shouldn't see it. Or am I missing something?

Posted

Here's the log file. I hope it helps.

It begins before I open quarantine option and ends when the message "Restore fail" appears.

 

Thanks.

Logfile.zip

  • Administrators
Posted

Unfortunately there is no single attempt (neither a failed one) to save a file from quarantine. Please post some screen shots to clarify what you actually did. You can use the system application Steps recorder to generate an archive with screen shots and particular steps that you took.

Posted (edited)

I'm wondering if this is a directory permissions issue. Whereas Eset was able to delete from the source directory, it is somehow blocked from writing to the source directory. Note that the OP was able to restore the file from quarantine to a different location.

Perhaps the OS has a write lock on this directory?

Or when Eset originally quarantined the file, it physically did not exist it that directory; i.e. Eset caught it on download or on write attempt to the target directory from another storage location. In other words existing directory permissions would have prevented the file creation in the first place.

Edited by itman
  • Administrators
Posted

There was not even an attempt to write a file from quarantine to a disk so permission issues can be ruled out. Maybe knowing the path and the file name would shed more light. @PabloH, please provide logs collected with ESET Log Collector but select also "quarantined files" to be collected and let us know which of the quarantined files you attempted to restore.

Posted

Hi. I have good news. Finally I restored the files has been quaratined. I did it from management center without any problem. 

I'dont know if this is the way, but it solved the problem. 

Thanks so much.

 

Posted

I have a similar problem. I'm using Linux but the concept should still be the same and I'd love to understand what is going on. My Eset quarantines several files during a scan. I try to restore them and it says that the file already exists (in the original location) and fails or it prompts to overwrite the file already there and works but doesn't make sense. It just depends on the file as to which option it gives me. Any comments?

  • Administrators
Posted

If quarantining fails on Linux, please contact customer care and provide them with the pair of ndf/nqf files you want to restore as well as a listing of permissions for the target folder as well as logs collected as per https://support.eset.com/en/kb6159-run-the-info-getcommand-on-a-linux-virtual-machine-and-send-the-logs-to-eset-technical-support. Make sure a file with the same name doesn't exist; not sure if ESET for Linux asks to replace it.

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...