Jump to content

Qurantine and active threats


Go to solution Solved by ElvinE5,

Recommended Posts

muhammad.moin
Posted

Hello!

Is there any way to take the copies of quarantine or active threats from the endpoint (Stored in backup showing in KSC and also in the VM physically) to an external Sandbox or any other environment for self-testing and analysis?

KSC: 14
KES: 11.9

OS: Windows

 

Your kind help would be appreciated.

Posted

On the KSC server, in the storage section, you can “save” the files you are interested in from client devices... to your device for further processing

 

Спойлер

image.thumb.png.675f23f6b5920fc800acf4430887541f.png

 

muhammad.moin
Posted

Thanks for the reply.

Actually my question is from where it will give me the threat because in our enviornment the threat may be from the USB drive which is now ejected. So how can the KSC get that file, and where does it basically store the file when detected?

  • 3 weeks later...
Posted

A backup of the file is sent to KSC when detected, if you save to disk you will have the complete file.

Posted (edited)
17 минут назад, Diego Moraes сказал:

A backup of the file is sent to KSC when detected, if you save to disk you will have the complete file

@Diego Moraes

 

Wrong ... backup files (deleted by KES file threat protection for example) as well as quarantine are stored on the same device where they were detected and deleted.

Only information about quarantined objects (on the device) is transferred to KSC.

and when you try to retrieve it (save it to disk) through the console, KSC requests it on the host where it is stored.

So sometimes it may not be available because it is deleted on the host ...and the information in KSC is not updated

Edited by ElvinE5
  • Like 1
Posted
54 minutes ago, ElvinE5 disse:

@Diego Moraes

 

Wrong ... backup files (deleted by KES file threat protection for example) as well as quarantine are stored on the same device where they were detected and deleted.

Only information about quarantined objects (on the device) is transferred to KSC.

and when you try to retrieve it (save it to disk) through the console, KSC requests it on the host where it is stored.

So sometimes it may not be available because it is deleted on the host ...and the information in KSC is not updated

You're right, I misunderstood what he said, when you click on save to disk, it requests the source file, this has happened to me, thanks for the clarification.

  • Like 1
  • Thanks 1
muhammad.moin
Posted
On 11/22/2023 at 4:08 PM, ElvinE5 said:

@Diego Moraes

 

Wrong ... backup files (deleted by KES file threat protection for example) as well as quarantine are stored on the same device where they were detected and deleted.

Only information about quarantined objects (on the device) is transferred to KSC.

and when you try to retrieve it (save it to disk) through the console, KSC requests it on the host where it is stored.

So sometimes it may not be available because it is deleted on the host ...and the information in KSC is not updated

Hello @ElvinE5

You mean to say that we can get the quarantine and active threats from endpoints if they are connected or available? And let we get the quarantine and active threats. So in what format will we get the file?

I have studied in kaspersky support that QURANTINE FILE can only be treated with the SANDBOX

Posted

for example, I saved one .exe file to my device (for further work) it will be saved like this ...

Спойлер

225430961_.png.65861a495aebbbc1baeb650ca5cdd3f4.png 1335838435_.png.af5e8cd1de8af9ff8a4e8a560e611d28.png

in the extension the name of the device from which I received the file is added, which makes it impossible to run it just by clicking on it.
But if I remove this description, the file can be run ... as usual

Спойлер

1346707403_.png.7fc854a114f689b677fa65b8a0afd1cf.png

 

how you will work with this file depends only on your tools, desires and needs ...

including sandboxing, which will give you a report on how this file behaves and what it is trying to do on your device ...which will give you a broader view of the malware.

  • Thanks 1
muhammad.moin
Posted
10 hours ago, ElvinE5 said:

for example, I saved one .exe file to my device (for further work) it will be saved like this ...

  Hide contents

225430961_.png.65861a495aebbbc1baeb650ca5cdd3f4.png 1335838435_.png.af5e8cd1de8af9ff8a4e8a560e611d28.png

in the extension the name of the device from which I received the file is added, which makes it impossible to run it just by clicking on it.
But if I remove this description, the file can be run ... as usual

  Hide contents

1346707403_.png.7fc854a114f689b677fa65b8a0afd1cf.png

 

how you will work with this file depends only on your tools, desires and needs ...

including sandboxing, which will give you a report on how this file behaves and what it is trying to do on your device ...which will give you a broader view of the malware.

Thanks @ElvinE5 for the information; it is really appreciated!


So did Kaspersky allow you to use an external or other vendor sandbox instead of the Kaspersky sandbox?

  • Solution
Posted
13 часов назад, muhammad.moin сказал:

So did Kaspersky allow you to use an external or other vendor sandbox instead of the Kaspersky sandbox?

not quite sure what the question is ...

 

if you mean that it will feed the quarantined file to some external sandbox - yes ...

whether Kaspersky products can be integrated with other sandboxes - probably not.

  • Thanks 1

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...