Siketa

CLOSED Quarantine Re-Scan

Recommended Posts

File was detected by behavior blocker and auto-quarantined.

Later, due to my submission, it's verdict was changed to Safe.

 

But, after re-scanning the quarantine, EAM reports there are no false positives.

This entries should be automatically purged in such cases.

post-17436-0-54509300-1476962483_thumb.jpg
Download Image

post-17436-0-95555700-1476962483_thumb.jpg
Download Image

Share this post


Link to post
Share on other sites

Hi Siketa,

 

Quarantine re-scans are only applied to items that were moved to Q by a signature based detection. (File Guard or Scan)

This is why these Behavior Blocker entries were not re-qualified.

 

Automatic deletion of items that sit in Quarantine is a no go, as you can imagine.

Share this post


Link to post
Share on other sites

OK...could it be improved to also scan BB detections?

In case like I described it would remove entries that were first blocked but later changed to safe.

Share this post


Link to post
Share on other sites

That seems better. Some times when I visit customers I see files in quarantine because of BB by user. It is more user friendly when files that are save automatic are moved to there original location.

Share this post


Link to post
Share on other sites

There is a major difference between the File Guard and Behavior Blocker:

 

The Behavior Blocker monitors behavior and doesn't need signatures.

The File Guard scans files realtime, and depends on signatures.

 

This is why re-scanning items, that were moved to Quarantine by the Behavior Blocker, makes no sense.

 

 It is more user friendly when files that are save automatic are moved to there original location.

 

 

It is not user friendly when EAM would overwrite already restored programs automatically.

This would add a huge complexity and unwanted situations, which requires user input.

 

This is why items that were moved to Quarantine (automatically or manually) stay safely and encrypted in Quarantine, where they can do no harm, until the user decides what do to with these items (delete or restore)

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.