kes 11.9 Qurantine and active threats

muhammad.moin · November 2, 2023

Hello!

Is there any way to take the copies of quarantine or active threats from the endpoint (Stored in backup showing in KSC and also in the VM physically) to an external Sandbox or any other environment for self-testing and analysis?

KSC: 14
KES: 11.9

OS: Windows

Your kind help would be appreciated.

ElvinE5 · November 3, 2023

On the KSC server, in the storage section, you can “save” the files you are interested in from client devices... to your device for further processing

Спойлер

muhammad.moin · November 4, 2023

Thanks for the reply.

Actually my question is from where it will give me the threat because in our enviornment the threat may be from the USB drive which is now ejected. So how can the KSC get that file, and where does it basically store the file when detected?

Diego Moraes · November 22, 2023

A backup of the file is sent to KSC when detected, if you save to disk you will have the complete file.

ElvinE5 · November 22, 2023

17 минут назад, Diego Moraes сказал:

A backup of the file is sent to KSC when detected, if you save to disk you will have the complete file

@Diego Moraes

Wrong ... backup files (deleted by KES file threat protection for example) as well as quarantine are stored on the same device where they were detected and deleted.

Only information about quarantined objects (on the device) is transferred to KSC.

and when you try to retrieve it (save it to disk) through the console, KSC requests it on the host where it is stored.

So sometimes it may not be available because it is deleted on the host ...and the information in KSC is not updated

Edited November 22, 2023 by ElvinE5

Diego Moraes · November 22, 2023

54 minutes ago, ElvinE5 disse:

@Diego Moraes

Wrong ... backup files (deleted by KES file threat protection for example) as well as quarantine are stored on the same device where they were detected and deleted.

Only information about quarantined objects (on the device) is transferred to KSC.

and when you try to retrieve it (save it to disk) through the console, KSC requests it on the host where it is stored.

So sometimes it may not be available because it is deleted on the host ...and the information in KSC is not updated

You're right, I misunderstood what he said, when you click on save to disk, it requests the source file, this has happened to me, thanks for the clarification.

muhammad.moin · November 29, 2023

On 11/22/2023 at 4:08 PM, ElvinE5 said:

@Diego Moraes

Wrong ... backup files (deleted by KES file threat protection for example) as well as quarantine are stored on the same device where they were detected and deleted.

Only information about quarantined objects (on the device) is transferred to KSC.

and when you try to retrieve it (save it to disk) through the console, KSC requests it on the host where it is stored.

So sometimes it may not be available because it is deleted on the host ...and the information in KSC is not updated

Hello @ElvinE5

You mean to say that we can get the quarantine and active threats from endpoints if they are connected or available? And let we get the quarantine and active threats. So in what format will we get the file?

I have studied in kaspersky support that QURANTINE FILE can only be treated with the SANDBOX

ElvinE5 · November 30, 2023

for example, I saved one .exe file to my device (for further work) it will be saved like this ...

Спойлер

in the extension the name of the device from which I received the file is added, which makes it impossible to run it just by clicking on it.
But if I remove this description, the file can be run ... as usual

Спойлер

how you will work with this file depends only on your tools, desires and needs ...

including sandboxing, which will give you a report on how this file behaves and what it is trying to do on your device ...which will give you a broader view of the malware.

muhammad.moin · November 30, 2023

10 hours ago, ElvinE5 said:

for example, I saved one .exe file to my device (for further work) it will be saved like this ...

Hide contents

in the extension the name of the device from which I received the file is added, which makes it impossible to run it just by clicking on it.
But if I remove this description, the file can be run ... as usual

Hide contents

how you will work with this file depends only on your tools, desires and needs ...

including sandboxing, which will give you a report on how this file behaves and what it is trying to do on your device ...which will give you a broader view of the malware.

Thanks @ElvinE5 for the information; it is really appreciated!

So did Kaspersky allow you to use an external or other vendor sandbox instead of the Kaspersky sandbox?

ElvinE5 · December 1, 2023

13 часов назад, muhammad.moin сказал:

So did Kaspersky allow you to use an external or other vendor sandbox instead of the Kaspersky sandbox?

not quite sure what the question is ...

if you mean that it will feed the quarantined file to some external sandbox - yes ...

whether Kaspersky products can be integrated with other sandboxes - probably not.

kes 11.9 Qurantine and active threats

Recommended Posts

muhammad.moin

Link to comment

Share on other sites

ElvinE5

Link to comment

Share on other sites

muhammad.moin

Link to comment

Share on other sites

Diego Moraes

Link to comment

Share on other sites

ElvinE5

Link to comment

Share on other sites

Diego Moraes

Link to comment

Share on other sites

muhammad.moin

Link to comment

Share on other sites

ElvinE5

Link to comment

Share on other sites

muhammad.moin

Link to comment

Share on other sites

ElvinE5

Link to comment

Share on other sites

Please sign in to comment

Similar Content

Forum

Products

Support

Personal Account