When integrated with Detection and Response solutions, on the command line, you can use Quarantine management commands to:
Restoring infected files may lead to a device infection.
Quarantine file
To quarantine a file, run the following command:
kesl-control [-Q] --put <
file path
> [--md5] [--sha256] [--save-original-file]
where:
<
file path
>
is the path to the file that you want to quarantine.--md5
is the MD5 hash of the file that you want to quarantine.--sha256
is the SHA256 hash of the file that you want to quarantine.--save-original-file
keeps the original file. If you do not specify this option, the original file is deleted.You can use this command only when integrated with Kaspersky Endpoint Detection and Response Optimum.
Viewing information about quarantined files
To view information about quarantined files, run the following command:
kesl-control -Q --query ["<
filter conditions
>"] [-n <
number
>] [--json]
where:
<
filter conditions
>
: one or several logical expressions in the format <
field
> <
comparison operator
> '<
value
>'
, combined with the help of the logical operator and
to limit the results. If you do not specify any filter conditions, the application will display the details of all quarantined files.<
number
>
is the number of the most recent quarantined files that you want to display. If you do not specify the -n
option, the last 30 files are displayed. Specify 0 to show all files.--json
: output data in JSON format.The ObjectId
line displays the numeric ID that the application assigned to the file when quarantining it. This ID is used to perform actions on the file, such as restoring the file or deleting it from Quarantine.
Restore files from Quarantine
To restore a file from Quarantine under its original name to its original location, execute the following command:
kesl-control -Q --restore <
object ID
>
where <
object ID
>
is a numeric ID that the application assigned to the file when quarantined.
To restore a file from Quarantine under a new name to a specified directory, execute the following command:
kesl-control -Q --restore <
object ID
> --file <
file path
>
where --file <
file path
>
is the new name of the file and the path to the directory where you want to save the file.
If the directory is deleted or the user does not have access rights to it, the application places the file in the /var/opt/kaspersky/kesl/common/restored/ directory. You can manually move the file from this directory to the directory of your choice.
Delete files from Quarantine
To delete selected files from Quarantine, run the following command:
kesl-control -Q --mass-remove --query "<
filter conditions
>"
where <
filter conditions
>
is one or several logical expressions in the format <
field
> <
comparison operator
> '<
value
>'
, combined with the help of the logical operator and
to limit the results.
Examples: To delete files that contain "test" in their names or paths:
|
To delete all files from Quarantine, run the following command:
kesl-control -Q --mass-remove