locked
where is the quarantine located RRS feed

  • Question

  • 1) if a file is moved to quarantine - where is it located

    2) is there any script which moves the file back to the original location (for thousands computers) in case of false positive

     

    Thank's

    Wednesday, October 24, 2007 5:20 AM

All replies

  • The quarantined files are stored as CAB files in a subfolder under C:\ProgramData or C:\Documents and Settings\All Users. I'm not sure if such a script exists, however. Hope that helps.

    Saturday, October 27, 2007 8:20 PM
  • Yes, thanks, i could find (my eicar-test) under:

    C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Quarantine

     

    There are 3 Files:

    29.10.2007  06:58               605 DATA.CAB
    29.10.2007  06:58               642 Manifest.ini
    29.10.2007  06:58               642 Manifest.qrm

     

    The DATA.CAB includes:

    29.10.2007  06:58               642 Manifest.ini
    29.10.2007  06:58               296 RESOURCE1

     

    But i was not able to restore it from Quarantine.

     

     

     

    Monday, October 29, 2007 10:05 AM
  • FCS quarantine is managed through the FCS antimalware client UI.  If you wish to restore, simply choose Tools > Quarantine Items.  Check the box(es) next to what you would like to restore and click the Restore button.

     

     

    Thanks,

    Craig

     

    Tuesday, November 13, 2007 5:50 PM
  • I have over 1000 Computers.
    So if there could be a false positive, the solution with the help of the client is no workaround for me.

    Thats's the reason, why i am looking for a different procedure.

    I need a procedure to restore an infected files on over 1000 computers.
    (I have access to all computers.)

    Please look at my question number 2.


    >>1) if a file is moved to quarantine - where is it located

    >>2) is there any script which moves the file back to the original location (for thousands computers) in case of false positive

     


    Thank's!!
    Wednesday, November 14, 2007 6:15 AM
  • Does meanwhile somebody know how to restore an infected file for the scenario listed above?
    Wednesday, November 28, 2007 6:02 AM
  • Sorry for the delay.  You raise a reasonable scenario.  Allow me to do some additional research and I will post back.

     

    -Craig

    Thursday, January 3, 2008 4:58 PM
  •  

    Unfortunately, there is not a facility in the FCS v1 product to address your scenario of restoring from quarantine on 1,000 machines without manual UI action. 

     

    If something of this nature were to occur, we would request that you contact FCS support and our team would work with you on developing a solution to the specific problem; likely through the use of non-publically available utilities.  Before you ask, no I cannot post those utilities to this forum for your evaluation.  J

     

    As I mentioned previously, this is a reasonable scenario and one which will be taken under consideration for the next version of FCS.

     


    Thanks,

    Craig

    Tuesday, January 8, 2008 9:26 PM
  • Thank you, Craig.

    Thursday, January 10, 2008 6:06 AM