Actions on quarantined objects

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To perform actions on quarantined objects in Kaspersky Endpoint Agent using the command line interface:

  1. On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
  2. Using the cd command, navigate to the folder where the Agent.exe file is located.

    For example, enter the command cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\" and press ENTER.

  3. Do the following and press ENTER:
    • To permanently delete quarantined objects, execute the following command:

      agent.exe --quarantine=delete --ouid=<comma-separated quarantined object identifiers. Required parameter> [--pwd=<current user password>].

      Objects with the specified identifiers will be deleted from the Quarantine folder specified when quarantine settings are configured.

    • To restore objects from quarantine, execute the following command:

      agent.exe --quarantine=restore --ouid=<comma-separated quarantined object identifiers. Required parameter> [--path-type=<one of the destination folder options to restore the objects from quarantine: original|custom|settings. Optional parameter> --path=<path to the destination folder for restored objects. Required parameter if the --path-type parameter is passed and the original>] value is specified [--action=<one of the actions on the object: replace|rename. Optional parameter>] [--pwd=<current user password>].

    • To quarantine an object, execute one of the following commands:
      • agent.exe --quarantine=add [--file=<full path to the object you want to quarantine>] [--pwd=<current user password>].
      • agent.exe --quarantine=add [--hash=<hash of the object you want to quarantine. Required parameter. If you do not specify the full path to the object and pass the --hashalg parameter>]--hashalg=<one of the hash types: md5|sha256. Required parameter. If you do not specify the full path to the object> [--file=<path to the folder with the object that you want to quarantine>] [--pwd=<current user password>].

    Command parameters when performing actions on quarantined objects

    Parameter

    Description

    --ouid

    Required parameter. The parameter passes a unique numeric (int64) identifier of the quarantined object.

    Displayed when viewing information about quarantined objects (command --quarantine=show).

    --path-type=<original|custom|settings>

    The parameter describes the logic for destination folder selection when restoring objects from quarantine.

    • If the parameter is not passed, the object will be restored to the original folder – the folder where the object was located before being quarantined. If the source folder is not available, the object will be restored to the folder specified when configuring quarantine settings.
    • If the parameter is passed with the <original> value, the object will be restored to the original folder – the folder where the object was located before being quarantined. If the source folder is not available, the object will be restored to the folder specified when configuring quarantine settings.
    • If the parameter is passed with the <settings> value, the object will be restored to the folder specified when quarantine settings were configured. If the folder is not available, the task fails.
    • If the parameter is passed with the <custom> value, the object will be restored to the folder whose path is specified as the value of the --path parameter. If the folder is not available, the task fails.

    --path=<path to the destination folder for restored objects>

    Required parameter if the --path-type parameter is passed with the <custom> value.

    This parameter defines the path to a folder for objects restored from quarantine if you do not want to use the folder where the object was located before being quarantined or the folder specified when quarantine settings were configured.

    --action=<replace|rename>

    This parameter defines the action that you want to perform on the object if the destination folder for restored objects already contains a file with the same name as the file you are restoring from quarantine.

    • If the parameter is not passed, the restored object will be renamed: the _restored suffix will be added to the original object name.
    • If the parameter is passed with the <rename> value, the restored object will be renamed: the _restored suffix will be added to the original object name.
    • If the parameter is passed with the <replace> value, the original object will be replaced with the restored object.

    --file=<full path to the object you want to quarantine>

    A required parameter if the –-hashalg parameter is not passed.

    This parameter defines the full path to the object that you want to quarantine.

    --hashalg=<md5|sha256>

    A required parameter if the –-file parameter is not passed and the full path to the object you want to quarantine is not specified.

    The parameter defines the hashing algorithm to calculate the checksum of the object you want to quarantine.

    The parameter can be passed with one of the following values: <md5> or <sha256>.

    --hash=<file checksum>

    Required parameter if the –-hashalg parameter is passed.

    The parameter defines the checksum of the object you want to quarantine.

    --file=<folder that contains the file>

    Required parameter if the –-hashalg parameter is passed.

    This parameter specifies the path to the folder that contains the object that you want to quarantine and whose hash is specified as the value of the –-hash parameter.

    --pwd=<current user password>

    Allows you to specify the password of the user whose account is used to execute the command.

Return codes of the --quarantine command:

Page top