Viewing information about quarantine settings and quarantined objects
September 13, 2022
ID 193450
This Help provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.
To view information about the quarantine settings and quarantined objects using the command line interface:
- On the device, run a command line interpreter (for example, Command Prompt cmd.exe) with the permissions of the local administrator.
- Using the
cd
command, navigate to the folder where the Agent.exe file is located.For example, you can type the following command
cd "C:\Program Files (x86)\Kaspersky Lab\Endpoint Agent\"
and press ENTER. - Enter one of the following commands and press ENTER:
agent.exe --quarantine=show [--pwd=<current user password>]
, to view a list of quarantined objects.
The following information will be displayed on all objects in the Quarantine folder on the devices (the Quarantine folder is specified when quarantine settings are configured):
- Identifiers of objects quarantined by the current moment (
ouid
parameter). - Names of quarantined objects (name + extension).
- Date and time when the object was quarantined (UTC).
- Original path to the quarantined file and default path for restoring the quarantined file (without file name).
- Size of quarantined file (in bytes).
- User account whose permissions were used to run the task for quarantining the file.
- Object status:
DETECT
if the file was quarantined by EPP or while performing actions in response to a threat detected by Kaspersky Sandbox. For example, as a result of the Quarantine and delete local action or the Quarantine and delete when IOC is found global action.CUSTOM
if the file was quarantined manually, as a result of the--quarantine=add
command execution.
- The way the file was quarantined:
AUTOMATIC_<name of the application that detected a threat in the quarantined file>
, if the file was quarantined by EPP or while performing actions in response to a threat detected by Kaspersky Sandbox. For example, as a result of the Quarantine and delete local action or the Quarantine and delete when IOC is found global action.BY USER
if the file was quarantined manually, as a result of the--quarantine=add
command execution.
agent.exe --quarantine=limits
, to view the current values of the Maximum Quarantine size (MB) and Threshold value for space available (MB) settings, as well as the statuses of applying these settings (check box statuses) specified when configuring the quarantine.
Return codes of the --quarantine
command:
- -1 – command is not supported.
- 0 – command successfully executed.
- 1 – required argument is not passed to the command.
- 2 – general error.
- 4 – syntax error.