Jump to content

EES Quarantine Not Accessible


Recommended Posts

System: Windows 10 Pro x64

EES Version: 7.2.2055

When trying to access the quarantine, a UAC prompt will show up (eecInt.exe). However, after granting the UAC elevation request, the quarantine page is still blank. Meanwhile the UAC elevation will prompt indefinitely. Not sure what kind of diagnostic info I should provide to help debug this issue.

Link to post
Share on other sites
  • Administrators

Are you logged in as an administrator? An UAC prompt window should pop up only after you select to restore a file, not when you open the quarantine window.

Link to post
Share on other sites
45 minutes ago, Marcos said:

Are you logged in as an administrator? An UAC prompt window should pop up only after you select to restore a file, not when you open the quarantine window.

Yes, I am using admin account. This is the weird part.

The only non default setting on my computer:

1) UAC level is set to the highest

2) Local security policy - UAC Behavior of the elevation prompt for administrators in Admin Approval Mode is set to "Prompt for credentials"

But I don't think these two will cause this issue.

Edited by 0xDEADBEEF
Link to post
Share on other sites
21 minutes ago, 0xDEADBEEF said:

The only non default setting on my computer:

1) UAC level is set to the highest

2) Local security policy - UAC Behavior of the elevation prompt for administrators in Admin Approval Mode is set to "Prompt for consent for non-Windows binaries"

I am running at 1). setting.

Suspect the issue is 2). Local security policy setting. Believe it may not be compatible w/UAC set to highest level.

Edited by itman
Link to post
Share on other sites
16 minutes ago, itman said:

Believe it may not be compatible w/UAC set to highest level.

my bad.. this is actually set to "prompt for credential"

Turning this two options back to default didn't help though...

Link to post
Share on other sites
  • Administrators

Does uninstalling ESET and installing the latest Endpoint 7.2 from scratch make a difference?

Also check permissions for C:\Users\%user%\AppData\Local\ESET\ESET Security\Quarantine. It should have full permissions set for: system, Administrators and the current user.

Link to post
Share on other sites
56 minutes ago, Marcos said:

Does uninstalling ESET and installing the latest Endpoint 7.2 from scratch make a difference?

Also check permissions for C:\Users\%user%\AppData\Local\ESET\ESET Security\Quarantine. It should have full permissions set for: system, Administrators and the current user.

I have found a way to reproduce this issue. After emptying the C:\Users\%user%\AppData\Local\ESET\ESET Security\Quarantine, the quarantine page is back to normal. After re-copying the quarantine files back, the same UAC issue appeared. I have sent you a private message containing those quarantine files. I hope those can help the devs identify the bug.

Previously I've heard similar complaints about "bugs" in quarantine and log files: when there are too many entries in these sections, using egui to view them will display blank page. The solution is to empty them.... In this case, my quarantine is pretty large (> 2GB). I feel the QA may need to do some tests to cover such extreme cases.

Edited by 0xDEADBEEF
Link to post
Share on other sites
  • Administrators

The total size of files in quarantine is typically relatively small. The product was not built to handle GB of files in quarantine; enumeration in such case may take a lot of time. I assume that you do not use the machine in a normal way and often scan and clean various malware files out of which many are quite big. In such case make sure to empty the quarantine on a regular basis.

Link to post
Share on other sites
43 minutes ago, Marcos said:

The total size of files in quarantine is typically relatively small. The product was not built to handle GB of files in quarantine; enumeration in such case may take a lot of time. I assume that you do not use the machine in a normal way and often scan and clean various malware files out of which many are quite big. In such case make sure to empty the quarantine on a regular basis.

not necessarily. It is not the first time that I saw ESET move thousands filecoder encrypted files to the quarantine, and those can exceed GBs (and users definitely don't want to empty the quarantine in this case). In other cases I once saw that the ransomware may repeatedly release thousands of ransomnotes because ESET repeatedly move it to the quarantine. In such case the quarantine will be "broken" unless the user manually empty that directory.

I think the bottom line is to add a load progress bar so that users are not confused. Plus I don't think repeatedly prompting UAC is considered "normal" when handling a large number of entries/large files.

Edited by 0xDEADBEEF
Link to post
Share on other sites
  • Administrators

The problem with UAC must be caused by something else. If you empty the quarantine, then let ESET detect eicar and then open quarantine, you are not prompted by UAC?

As for ransomware instructions, each file would have to be unique in order to be quarantined. I for one don't recall ransomware that would create thoudands of unique files with instructions.

Link to post
Share on other sites
48 minutes ago, Marcos said:

The problem with UAC must be caused by something else. If you empty the quarantine, then let ESET detect eicar and then open quarantine, you are not prompted by UAC?

Yes, so if I empty the quarantine, re-add 1~2 malware to it, and open the quarantine in egui, the UAC prompt won't happen.

48 minutes ago, Marcos said:

As for ransomware instructions, each file would have to be unique in order to be quarantined. I for one don't recall ransomware that would create thoudands of unique files with instructions.

That's valid, but still certain cases will have output encrypted files quarantined (usually if detected by AMS and failed to clean the main process). Just want to see ESET being robust in handling such extreme but possible cases. 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...