Agent commands and quarantine

  • 16 July 2013
  • 8 replies

Userlevel 3
One thing is not quite clear to me. What is the difference between agent commands Scan and Cleanup. It seems to me that they both will launch the scan and quarantine malicious files. And one more thing - is it possible to pernamently delete files from quarantine using console? Thanks

Best answer by JimM 16 July 2013, 20:55

View original

8 replies

Userlevel 7
A cleanup will remove old temp files, recent document history, run history, address bar history, temporary internet files, URL history, the index.dat, recycle bin contents, and search history.

There isn't currently any agent command to purge the quarantine on a system. As you know, quarantined items cannot harm a system in any way, as they are rendered completely inert. There is a workaround for deleting the quarantine by sending a DOS command to delete dbl.db from the WRData folder, but this is not currently supported. An agent command for deleting the quarantine is being developed.
Userlevel 3
Thanks for the answer. From what you write a command "Clean up" seems rather like executing a System Cleaner. However, in the description  it says that what it does is "Start a scan and automatically quarantine malicious files". Don't you think that it's a little bit confusing?
Userlevel 7
I completely misunderstood what you were asking. So no, the agent command "Clean Up" has nothing to do with System Cleaner. It scans and quarantines. A regular scan just scans without remediation.
I agree that we could do with a better naming convention on that command.
Userlevel 3
Thanks, it all makes sense now:) One more question, if the command Scan doesn't perform remediation what happens if an infection is found after executing this command?
Userlevel 7
The console will tell you an endpoint needs attention.
Userlevel 3
Sorry for being persistent but I need this clarified:D So what happens if for some reason an administrator cannot perform a clean up straight away.? Is the infection free to roam until he decides to quarantine it?
Userlevel 7
The threat will continue to be monitored and journaled until either the threat is overridden as an FP or removed as an actual threat. As long as your policy auto-remediates, this isn't a concern.
Userlevel 3
I understand:) Thanks a lot for taking time and explaining that.