Before malicious objects are removed or treated, they are copied to the backup storage. This is done so as to be on the safe side in case a removed file needs to be restored, for example, for additional analysis.
The copies are stored in the %ALLUSERSPROFILE%\Application Data\Kaspersky Lab\AVP60MP4\QB anti-virus folder. Copies of dangerous files are encoded, that is why when the drive is scanned by Kaspersky Anti-Virus or any other anti-virus, the malicious code is not detected in them.
The objects can be recovered or deleted from the backup storage. Also, all objects are automatically deleted from the repository after 30 days by default.
To change this period, edit the policy: open the Reports and storages section, and in the Quarantine and Backup area modify the Store objects not longer than setting.
For most computers it is quite enough to limit the the storing time. If, however, objects in the repository take too much drive space, you can additionally enable the Maximum size parameter. The default repository size limit is 250 MB.
Suspicious objects detected by heuristic analyzer or proactive protection are quarantined. Usually such objects are malicious, but until the corresponding records are added to the signature database, one cannot know that for sure.
Quarantine is a repository similar to the backup storage. All the more, it is the same catalogue on the hard drive and storing time and volume limits are the same for quarantine and backup storages.
As suspicious objects may turn out to be harmless, it may be useful to check them anew after anti-virus databases are updated. It can be done automatically by selecting the Scan quarantined files after update check box next to the limitations. Another option is to periodically scan quarantined objects manually.
Also, the administrator can recover or delete quarantined objects—similarly to the backup storage. Additionally, the administrator can manually quarantine an object if it seems suspicious. This simplifies watching over the object. It will be scanned again after every update, and if new databases help to detect malicious code in it, the administrator will know it right away.
Objects that were detected but not processed are displayed as active threats. Their hazard may vary to a great extent: a virus in system memory that blocks attempts to delete its file from the hard drive on the one hand, and a malicious file detected at on-demand scan of an old archive for which the Skip action was selected, on the other hand, are both considered to be active threats.
Active threats are not placed to a repository similar to the Backup storage or Quarantine. The detected objects remain where they were, and the Active threats tab shows only information about them. Therefore, active threats are processed differently from objects in a repository.
You can try to disinfect or delete an object considered to be an active threat (Disinfect action). This may be done successfully if the object is regarded to be an active threat because the Skip action was selected for it. But if an active threat is a virus in memory, neither treatment, nor removing might succeed. In this case the administrator can open the file’s location using the Go to file command, and try to deal with it using special utilities.
Another available action, Delete, can be taken for the objects that cannot be processed by anti-virus for a good reason. For example, if an object is located in a network folder for which the anti-virus has no write permissions.
If active threats and repository objects were processed only locally, it would be inconvenient. On the other hand, if all objects were sent to the repository on Administration Server, it would create extra traffic and involve additional requirements for the Server disk space.
Kaspersky Administration Kit uses another approach: information about local objects and active threats is sent to the Server, so that the administrator could see these objects in Kaspersky Administration Console and issue commands for their processing. The commands in their turn are carried out locally on client computers.
Sending information about local objects is controlled by Kaspersky Anti-Virus policy. Next to the parameters that limit repository size and object storing time there are parameters for data sending. The area is named Notify Administration Server, and the parameters independently enable and disable sending information on every category of objects:
Unprocessed files are called active threats in the local interface. The only difference is the name; these actually are the same objects.
In the standard policy, sending information on objects is enabled.
The settings for sending information on objects are implemented in the policy of Kaspersky Anti-Virus starting from the MP4. The ability to send data on quarantined objects and backup storage also existed in earlier versions of Kaspersky Anti-Virus; there just were no unprocessed files (active threats).
Parameters for sending information on repository objects for old versions of Kaspersky Anti-Virus are located in Network Agent policy in the special 6.0 MP3 Compatibility settings area on the Repositories tab.
In Kaspersky Administration Console information about local objects is represented in the Repositories node. Every category of objects has a corresponding repository: Backup, Quarantine and Unprocessed files.
Console shows more information on objects than the local interface. At the default settings, the following data is displayed for every object:
Computer where the object was detected and is stored
Name of the file (object)
Status of the object, for example, Disinfected, or Suspicious, or Added by the user
Current action, if the administrator has sent a command to scan, recover or delete the object
Date of placement of the object to the repository (or to the list, if we speak of unprocessed files, which are not moved anywhere)
Virus name detected in the object
You can configure the repositories node (with the View, Add/Remove Columns menu command) to display additional information:
Size of objects, bytes
User logged on to the system when the object was detected
Restoration path, that is, full path to the object’s original location
Description added by the administrator for this object in Kaspersky Administration Console
The description can be added in the object properties window. Also, this window compactly represents the complete information on the object.
Console allows taking the same actions with objects as the local interface. The command is transferred to the client computer, and until the command results are received, Current action is displayed in the corresponding column.
As most actions can be performed in the console, it is easier to name those that cannot. First, you cannot manually quarantine a file. However, you can always do it in the local anti-virus interface on your workplace.
Second, you cannot scan a separate quarantined file. You can only scan all quarantined objects on the computer. Actually, the Scan quarantined objects command runs the system task for scanning the quarantine storage. It is a hidden task that also starts after update, if the corresponding option is enabled. This task is visible neither in local interface, nor in Kaspersky Administration Console. Its existence is revealed only in local reports.
Also, expectedly enough, from the console you cannot open the folder where an unprocessed file is located. However, some actions are available in the console that may provide additional information on an object moved into the repository.
These actions are Go to computer and Computer properties. The former opens the group to which the computer with the corresponding object in the repository belongs. The latter opens properties of this computer without leaving the repository. The action to be taken depends on the situation.
From computer properties you can open the list of latest events on this computer and overview the incident context. It is especially important for unprocessed files. If computer events show that the Skip command was applied to the file, it is quite enough to remotely initiate the Disinfect command. On the other hand, if the events show that treatment and deletion have already been attempted in vain, this must be an active infection and the incident needs close attention.