Managing quarantined files on the command line

When integrated with Detection and Response solutions, on the command line, you can use Quarantine management commands to:

• Put files into Quarantine (only when integrated with Kaspersky Endpoint Detection and Response Optimum or with Kaspersky Managed Detection and Response).
• View information about quarantined files.
• Delete all files or specified files from Quarantine.
• Restore files from Quarantine.

Restoring infected files may lead to a device infection.

Quarantine file

To quarantine a file, run the following command:

kesl-control [-Q] --put <file path> [--md5] [--sha256] [--save-original-file]

where:

• <file path> is the path to the file that you want to quarantine.
• --md5 is the MD5 hash of the file that you want to quarantine.
• --sha256 is the SHA256 hash of the file that you want to quarantine.
• --save-original-file keeps the original file. If you do not specify this option, the original file is deleted.

  The original file is deleted only if the user account has permission to delete objects. If the rights are insufficient, a file deletion error message is displayed.

You can use this command only when integrated with Kaspersky Endpoint Detection and Response Optimum or with Kaspersky Managed Detection and Response.

Viewing information about quarantined files

To view information about quarantined files, run the following command:

kesl-control -Q --query ["<filter conditions>"] [-n <number>] [--json]

where:

• <filter conditions>: one or several logical expressions in the format <field> <comparison operator> '<value >', combined with the help of the logical operator and to limit the results. If you do not specify any filter conditions, the application will display the details of all quarantined files.
• <number> is the number of the most recent quarantined files that you want to display. If you do not specify the -n option, the last 30 files are displayed. Specify 0 to show all files.
• --json: output data in JSON format.

The ObjectId line displays the numeric ID that the application assigned to the file when quarantining it. This ID is used to perform actions on the file, such as restoring the file or deleting it from Quarantine.

Restore files from Quarantine

To restore a file from Quarantine under its original name to its original location, execute the following command:

kesl-control -Q --restore <object ID>

where <object ID> is a numeric ID that the application assigned to the file when quarantined.

To restore a file from Quarantine under a new name to a specified directory, execute the following command:

kesl-control -Q --restore <object ID> --file <file path>

where --file < file path> is the new name of the file and the path to the directory where you want to save the file.

You can restore a file from Quarantine to a different directory only if your user has root rights. If your user's rights are insufficient, a file can only be restored to its original location.

Delete files from Quarantine

To delete selected files from Quarantine, run the following command:

kesl-control -Q --mass-remove --query "<filter conditions>"

where <filter conditions> is one or several logical expressions in the format <field> <comparison operator> '<value>', combined with the help of the logical operator and to limit the results.

Examples: To delete files that contain "test" in their names or paths: kesl-control -Q --mass-remove --query "FileName like '%test%'"

To delete all files from Quarantine, run the following command:

kesl-control -Q --mass-remove

Page top