Actions on quarantined objects

This Help provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To perform actions on quarantined objects in Kaspersky Endpoint Agent using the command line interface:

  1. On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
  2. Using the cd command, navigate to the folder where the Agent.exe file is located.

    For example, you can type the following command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\" and press ENTER.

  3. Do the following and press ENTER:
    • To permanently delete the quarantined objects, execute the following command:

      agent.exe --quarantine=delete --ouid=<comma-separated quarantined object identifiers. Required parameter> [--pwd=<current user password>].

      Objects with the specified identifiers will be deleted from the Quarantine folder on the devices. The Quarantine folder is specified when quarantine settings are configured.

    • To restore objects from quarantine, execute the following command:

      agent.exe --quarantine=restore --ouid=<comma-separated quarantined object identifiers. Required parameter> [--path-type=<one of the destination folder options to restore the objects from the quarantine: original|custom|settings. Optional parameter> --path=<path to the destination folder for restored objects. Required parameter if the --path-type parameter is passed and the original>] value is specified [--action=<one of the actions on the object: replace|rename. Optional parameter>] [--pwd=<current user password>].

    • To quarantine an object, execute one of the following commands:
      • agent.exe --quarantine=add [--file=<full path to the object you want to quarantine>] [--pwd=<current user password>].
      • agent.exe --quarantine=add [--hash=<hash of the object you want to quarantine. Required parameter. If you do not specify the full path to the object and pass the --hashalg parameter>]--hashalg=<one of the hash types: md5|sha256. Required parameter. If you do not specify the full path to the object> [--file=<path to the folder with the object that you want to quarantine>] [--pwd=<current user password>].

    Command parameters when performing actions on quarantined objects

    Parameter

    Description

    --ouid

    Required parameter. The parameter passes a unique numeric (int64) identifier of the quarantined object.

    Displayed when viewing information about quarantined objects (command --quarantine=show).

    --path-type=<original|custom|settings>

    The parameter describes the logic for the destination folder selection when restoring objects from quarantine.

    • If the parameter is not passed, the object will be restored to the original folder – the folder where the object was located before being quarantined. If the source folder is not available, the object will be restored to the folder specified when configuring quarantine settings.
    • If the parameter is passed with the <original> value, the object will be restored to the original folder – the folder where the object was located before being quarantined. If the source folder is not available, the object will be restored to the folder specified when configuring quarantine settings.
    • If the parameter is passed with the <settings> value, the object will be restored to the folder specified when configuring quarantine settings. If the folder is not available, the task fails.
    • If the parameter is passed with the <custom> value, the object will be restored to the folder, the path to which is specified as the value of the --path parameter. If the folder is not available, the task fails.

    --path=<path to the destination folder for restored objects>

    Required parameter if the --path-type parameter is passed with the <custom> value.

    This parameter defines the path where you want to create a folder for objects restored from the quarantine, if you do not want to use the folder where the object was located before being quarantined and the folder specified when configuring quarantine settings.

    --action=<replace|rename>

    This parameter defines the action that you want to perform on the object if the destination folder for restored objects already contains a file with name same to the name of the file you are restoring from quarantine.

    • If the parameter is not passed, the restored object will be renamed: the _restored suffix will be added to the original object name.
    • If the parameter is passed with the <rename> value, the restored object will be renamed: the _restored suffix will be added to the original object name.
    • If the parameter is passed with the <replace> value, the original object will be replaced with the restored object.

    --file=<full path to the object you want to quarantine>

    Required parameter if the –-hashalg parameter is not passed.

    The parameter defines the full path to the object that you want to quarantine.

    --hashalg=<md5|sha256>

    Required parameter if the –-file parameter is not passed and the full path to the object you want to quarantine is not specified.

    The parameter defines the hashing algorithm to calculate the checksum of the object you want to quarantine.

    The parameter can be passed with one of the following values: <md5> or <sha256>.

    --hash=<file checksum>

    Required parameter if the –-hashalg parameter is passed.

    The parameter defines the checksum of the object you want to quarantine.

    --file=<folder that contains the file>

    Required parameter if the –-hashalg parameter is passed.

    This parameter specifies the path to the folder which contains the object that you want to quarantine and whose hash is specified as the value of the –-hash parameter.

    --pwd=<current user password>

    Allows you to specify the password of the user whose account is used to execute the command.

Return codes of the --quarantine command:

See also

Managing Kaspersky Endpoint Agent activation

Configuring tracing

Configuring creation of dump files

Viewing information about quarantine settings and quarantined objects

Managing Kaspersky Sandbox integration settings

Managing integration settings with KATA Central Node component

Managing integration settings with KICS for Networks

Running Kaspersky Endpoint Agent database and module update

Starting, stopping and viewing the current application status

Protecting the application with password

Protecting application services with PPL technology

Managing self-defense settings

Managing event filtering

Managing network isolation

Managing Standard IOC Scan tasks

Managing Execution prevention

Page top