Move file to Quarantine

When responding to threats, Kaspersky Endpoint Detection and Response may create Move file to Quarantine tasks. This is necessary to minimize the consequences of the threat. Quarantine is a special local storage on the computer. The user can quarantine files that he/she considers dangerous for the computer. Quarantined files are stored in an encrypted form and therefore do not compromise your device's security. Kaspersky Industrial CyberSecurity for Nodes uses Quarantine only when working with Detection and Response solutions: EDR Optimum, KATA (EDR). In other cases Kaspersky Industrial CyberSecurity for Nodes places the relevant file in Backup. For details on managing Quarantine as part of solutions, please refer to the Kaspersky Endpoint Detection and Response Optimum Help and Kaspersky Anti Targeted Attack Platform Help.

You can create Move file to Quarantine tasks in the following ways:

In alert details (only for EDR Optimum).
Alert Details is a tool for viewing the entirety of collected information about a detected threat. Alert details include, for example, the history of files appearing on the computer.
Using the Task Wizard.
You must enter the file path or hash (SHA256 or MD5), or both the file path and the file hash.

The Move file to Quarantine task has the following limitations:

The file size must not exceed 100 MB.
System Critical Objects (SCO) cannot be quarantined. SCOs are files that the operating system and the Kaspersky Industrial CyberSecurity for Nodes application require to be able to run.

To create the Move file to Quarantine task:

In the main window of the Web Console, select Devices → Tasks.
The list of tasks opens.
Click Add.
Configure the task settings:
1. In the Application drop-down list, select Kaspersky Industrial CyberSecurity for Nodes.
2. In the Task type drop-down list, select Move file to Quarantine.
3. In the Task name field, enter a brief description of the task and click Next.
In the Task scope section, select managed devices and click Next.
Enter the account credentials of the user whose rights you want to use to run the task. Click Next.
By default, Kaspersky Industrial CyberSecurity for Nodes starts the task as the system user account (SYSTEM).
Finish the wizard by clicking the Finish button. A new task will be displayed in the list of tasks.
Click the new task. The task properties window opens.
Select the Application settings tab.
In the list of files, click Add. The file adding wizard starts.
To add the file, you must enter the full path to the file, or checksum with a folder path.
If the file is located on a network drive, enter the file path starting with \\, and not the drive letter. For example, \\server\shared_folder\file.exe. If the file path contains a network drive letter, you can get a File not found error.
In the task properties window, select the Schedule tab. Configure the task schedule.
Wake-on-LAN is not available for this task. Make sure the computer is turned on to run the task.
Click Save.
Select the check box next to the task and click the Start button.

As a result, Kaspersky Industrial CyberSecurity for Nodes moves the file to Quarantine.

If the file is locked by a different process, the task is displayed as Passed, but the file itself is quarantined only after the computer is restarted. After restarting the computer, confirm that the file is deleted.

The Move file to Quarantine task can finish with the Not enough space in Quarantine storage error if you are trying to quarantine a file that is too large. Empty the Quarantine or increase its size. Then try again.

You can restore a file from Quarantine or empty the Quarantine using Kaspersky Security Center Web Console. You can restore objects locally on the computer using the command line.

Restoring a file from Quarantine or Backup to its original folder. Kaspersky Industrial CyberSecurity for Nodes uses Quarantine only when working with EDR Optimum and KATA (EDR) solutions. In other cases Kaspersky Industrial CyberSecurity for Nodes places the relevant file in Backup. For details on managing Quarantine as part of solutions, please refer to the Kaspersky Endpoint Detection and Response Optimum Help and Kaspersky Anti Targeted Attack Platform Help.

The object is quarantined under the system account (SYSTEM).

Restoring files from Quarantine involves the following special considerations:

If the destination folder has been deleted or the user does not have access rights to that folder, the application places the file in the %DataRoot%\QB\Restored folder. Then you must manually move the file to the destination folder.
The application treats the name of the file being restored as case sensitive. If you do not observe the case when entering the file name, the application does not restore the file.
If the destination folder already has a file with the same name, the application cancels the restoration of the file if the /replace parameter is not specified in the command.
If you are using the KATA (EDR) solution, the application saves a copy of the file in Quarantine after restoring the file. You can clear the Quarantine manually. For the EDR Optimum solution, the application deletes the file after restoration.

To run the command, go to the folder where the kavshell.exe executable file is located. You can also add the executable file path to the %PATH% system variable and run the command without navigating to the application folder.

Command syntax

KAVSHELL restore <name of the file to restore> [/replace] [/quarantine] [/backup] [/login=<name of the current user account>] [/PWD=</login password or KLAdmin password if /login is not specified>]

Example

KAVSHELL restore /replace_file.txt /password=samplePassword

Command return values:

-1: The command is not supported by the version of the application that is installed on the computer.
0: The command completed successfully.
1: A mandatory argument was not passed to the command.
2: General error.
4: Syntax error.
9: wrong operation (for example, an attempt to disable the component when it is already disabled).

Page top