Jump to content
jasonfromclarington

Continued warning from Quarantine scan

Recommended Posts

Hello,

We have an Exchange 2010 server running Kaspersky Security 10.1 for Windows Server.

We added an Exchange mailbox database on a different drive, and failed to put in exclusions in the TrustedZone for the mailbox files.

Subsequently, Kaspersky Real-time File Protection heuristics thought a "E04005D660B.log" file contained a Trojan and quarantined it. Object was added to backup; object was quarantined. I'm sure it was not really a Trojan, just a false alarm on an Exchange log file.

I have now put in the Trusted Zone exclusion for that mailbox folder so that won't happen again.

However, I am getting alerts from our Kaspersky Security Center of "Probably infected object detected" on the same .log file, every hour when it does a Quarantine Scan.

What should I do about this?

Should I restore the log file to its original location from Quarantine? If so, how?

If not (maybe Exchange no longer requires the file at this point?), then how do I stop it from detecting that file every time?

Thank you for any help you can provide.

Jason

 

Share this post


Link to post

Hi,

Could you please provide us with an export of active KSWS10 policy with the changes at Trusted zone you have made?

Thank you!

Share this post


Link to post
В ‎02‎.‎03‎.‎2019 в 03:04, jasonfromclarington сказал:

What should I do about this?

Should I restore the log file to its original location from Quarantine? If so, how?

Hello,

Maybe just delete this file from the Quarantine storage?

Share this post


Link to post
3 hours ago, Oleg Bykov said:

Hello,

Maybe just delete this file from the Quarantine storage?

How? Can I do this from KSC? The servers don't have the full interface like a workstation.

Share this post


Link to post
27 минут назад, jasonfromclarington сказал:

How? Can I do this from KSC?

Of course you can. Try right-clicking on the file in the storage - there must be some kind of "Remove" option.

27 минут назад, jasonfromclarington сказал:

The servers don't have the full interface like a workstation.

But they do! You just have to install it separately - the local UI (Administration Tools) is a separate MSI package, you install it only if you need it on a server (and can uninstall it afterwards).

 

Share this post


Link to post
Quote

 Try right-clicking on the file in the storage - there must be some kind of "Remove" option.

I didn't see any way to browse the quarantine of a server using the Kaspersky Security Console.

Quote

You just have to install it separately - the local UI (Administration Tools) is a separate MSI package, you install it only if you need it on a server (and can uninstall it afterwards).

If I run the ks4ws 10.1 .exe installer, do I select the option "Install Kaspersky Security 10.1 Console" for this? Or are you referring to something else? If something else please provide instructions.

Thanks!

Share this post


Link to post
12 часов назад, jasonfromclarington сказал:

I didn't see any way to browse the quarantine of a server using the Kaspersky Security Console.

The Quarantine Storage is common for all computers under the management of the KSC. So it should be in Advanced\Repositories\Quarantine or something like that (my local KSC version might be a bit outdated).

12 часов назад, jasonfromclarington сказал:

If I run the ks4ws 10.1 .exe installer, do I select the option "Install Kaspersky Security 10.1 Console" for this?

Yes, correct, you need the Console.

Share this post


Link to post
Posted (edited)
4 hours ago, Oleg Bykov said:

it should be in Advanced\Repositories\Quarantine

Thank you! I found the file there. But when I tried to restore it switched "Current action" to "Restoring" and then "Error: '#1199 Operation canceled'".

I am not an Exchange expert... I don't know how important this log file from 4 days ago is. Should I just delete it from Quarantine rather than restore it?

To me it looks like there has been a successful backup of Exchange database so it appears the log files have been cleaned up (none older than yesterday). So I am guessing it is safe to just delete this old log file from Quarantine at this point.

Thanks for your advice.

Jason

Edited by jasonfromclarington

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.