PabloH 0 Posted January 28, 2020 Share Posted January 28, 2020 Hello everybody, I'm new in the forum. The av is detecting some files as PUA and it send them to quarantine. The problem is when I try to restore them, the action fail. Details: _ I run the action as admin, so I have privileges. _ The action is performed with the same OS user account the av detect the PUA. _ The action is realized some minutes after the files are send to quarantine. _ I browse the quarantine directory and it has the files. _ Endpoint version: 7.1.20.53.0 _ OS version: Windows 7 Professional Thanks in advance. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted January 28, 2020 Administrators Share Posted January 28, 2020 Please provide a Procmon log from the time you attempt to restore the file (https://support.eset.com/en/using-process-monitor-to-create-log-files). Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 28, 2020 Share Posted January 28, 2020 13 minutes ago, PabloH said: The action is realized some minutes after the files are send to quarantine. Are you stating that the file upon being restored from quarantine later is again detected as a PUA and placed back into quarantine? If so, this is desired behavior since real-time protection re-scanned the file. The file needs to be excluded from real-time scanning either prior to restoration from quarantine or immediately thereafter. Link to comment Share on other sites More sharing options...
PabloH 0 Posted January 28, 2020 Author Share Posted January 28, 2020 Marcos, thanks for reply. I attach the log file with some filters (Windows processes, and others), If you need the whole file please send me and email to send it. Thanks Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted January 28, 2020 Administrators Share Posted January 28, 2020 The log doesn't contain any useful records. There was no single record containing "quarantine". Please do not apply any filter. Link to comment Share on other sites More sharing options...
PabloH 0 Posted January 28, 2020 Author Share Posted January 28, 2020 1 hour ago, itman said: Are you stating that the file upon being restored from quarantine later is again detected as a PUA and placed back into quarantine? If so, this is desired behavior since real-time protection re-scanned the file. The file needs to be excluded from real-time scanning either prior to restoration from quarantine or immediately thereafter. Itman, thanks for reply. I tried with anothers sane files and the result is the same. Thanks Link to comment Share on other sites More sharing options...
PabloH 0 Posted January 28, 2020 Author Share Posted January 28, 2020 50 minutes ago, Marcos said: The log doesn't contain any useful records. There was no single record containing "quarantine". Please do not apply any filter. Marcos, do that expose some sensitive data. Any alternative? Thanks Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 28, 2020 Share Posted January 28, 2020 I just restored a previous PUA detection from quarantine in EIS ver. 13.0.24. It restored w/o issue. It is restored to its original detected directory and is no longer present in Eset quarantine. So if this is an issue, it must be in Endpoint versions only which I somewhat doubt. Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 28, 2020 Share Posted January 28, 2020 (edited) Here's a thought. Does the location; i.e. full original directory path, where the PUA was originally detected still exist? Eset may have an issue with quarantine restoration if this is the case. -EDIT- Nope. Just tested this and Eset will recreate the required directory path if necessary. Edited January 28, 2020 by itman Link to comment Share on other sites More sharing options...
PabloH 0 Posted January 28, 2020 Author Share Posted January 28, 2020 15 minutes ago, itman said: I just restored a previous PUA detection from quarantine in EIS ver. 13.0.24. It restored w/o issue. It is restored to its original detected directory and is no longer present in Eset quarantine. So if this is an issue, it must be in Endpoint versions only which I somewhat doubt. Yes, this product is endpoint 7 for business. 13 minutes ago, itman said: Here's a thought. Does the location; i.e. full original directory path, where the PUA was originally detected still exist? Eset may have an issue with quarantine restoration if this is the case. I restore to an existing folder and I try to use "restore to.." option too. The first show a fail message, the other don't show any. Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 28, 2020 Share Posted January 28, 2020 1 minute ago, PabloH said: the other don't show any. Was the file restored? Link to comment Share on other sites More sharing options...
PabloH 0 Posted January 28, 2020 Author Share Posted January 28, 2020 5 minutes ago, itman said: Was the file restored? In any case the file was restored. I'm using Remote Administrator and I have some folder exclusions. But any other policies are configured. Thanks again. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted January 28, 2020 Administrators Share Posted January 28, 2020 2 hours ago, PabloH said: Marcos, do that expose some sensitive data. Any alternative? Attachments that you upload here are accessible only to ESET staff. Moreover, a Procmon log shouldn't contain any extra sensitive data. It could contain user profile folders or some plain text values in the registry but I don't consider it confidential to such a degree that ESET staff shouldn't see it. Or am I missing something? Link to comment Share on other sites More sharing options...
PabloH 0 Posted January 30, 2020 Author Share Posted January 30, 2020 Here's the log file. I hope it helps. It begins before I open quarantine option and ends when the message "Restore fail" appears. Thanks. Logfile.zip Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted January 30, 2020 Administrators Share Posted January 30, 2020 Unfortunately there is no single attempt (neither a failed one) to save a file from quarantine. Please post some screen shots to clarify what you actually did. You can use the system application Steps recorder to generate an archive with screen shots and particular steps that you took. Link to comment Share on other sites More sharing options...
itman 1,659 Posted January 30, 2020 Share Posted January 30, 2020 (edited) I'm wondering if this is a directory permissions issue. Whereas Eset was able to delete from the source directory, it is somehow blocked from writing to the source directory. Note that the OP was able to restore the file from quarantine to a different location. Perhaps the OS has a write lock on this directory? Or when Eset originally quarantined the file, it physically did not exist it that directory; i.e. Eset caught it on download or on write attempt to the target directory from another storage location. In other words existing directory permissions would have prevented the file creation in the first place. Edited January 30, 2020 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted January 30, 2020 Administrators Share Posted January 30, 2020 There was not even an attempt to write a file from quarantine to a disk so permission issues can be ruled out. Maybe knowing the path and the file name would shed more light. @PabloH, please provide logs collected with ESET Log Collector but select also "quarantined files" to be collected and let us know which of the quarantined files you attempted to restore. Link to comment Share on other sites More sharing options...
PabloH 0 Posted February 3, 2020 Author Share Posted February 3, 2020 Hi. I have good news. Finally I restored the files has been quaratined. I did it from management center without any problem. I'dont know if this is the way, but it solved the problem. Thanks so much. Link to comment Share on other sites More sharing options...
salmmus 1 Posted February 6, 2020 Share Posted February 6, 2020 I have a similar problem. I'm using Linux but the concept should still be the same and I'd love to understand what is going on. My Eset quarantines several files during a scan. I try to restore them and it says that the file already exists (in the original location) and fails or it prompts to overwrite the file already there and works but doesn't make sense. It just depends on the file as to which option it gives me. Any comments? Link to comment Share on other sites More sharing options...
salmmus 1 Posted February 6, 2020 Share Posted February 6, 2020 added notify me of replies. ignore this message. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted February 6, 2020 Administrators Share Posted February 6, 2020 If quarantining fails on Linux, please contact customer care and provide them with the pair of ndf/nqf files you want to restore as well as a listing of permissions for the target folder as well as logs collected as per https://support.eset.com/en/kb6159-run-the-info-getcommand-on-a-linux-virtual-machine-and-send-the-logs-to-eset-technical-support. Make sure a file with the same name doesn't exist; not sure if ESET for Linux asks to replace it. Link to comment Share on other sites More sharing options...
Recommended Posts