Recover file from quarantine

well - Security quarantined nnotes.dll that is part of "HCL Notes" Installation.
Now i am trying to find out how to get back the file without the need to reinstall the application.
I created a rule exception and i can find the file in _.quarantine.
But it seems to be encrypted?
Shouldn't it be possible to recover a "false alert" from quarantine via GUI?
Am i missing a command for this?

Hi @GKre,

I'm sorry you've run in to this. We've actually identified this as a "bug" because its confusing to users and are trying to identify the best way to fix this.

A rule exception runs in Kibana and generally doesn't impact behavior on the Endpoint. In order to get your file released from quarantine (and prevent it from being quarantined again), you need to add an Endpoint Exception (which is about half way down the documentation page for exceptions). Add and manage exceptions | Elastic Security Solution [8.11] | Elastic

Adding an Endpoint exception will end up sending an update to your Endpoint in a few minutes which will release the file from quarantine and prevent it from being quarantined again.

Let me know if you run in to any issues getting it released.

thank you Nick,
i will give this a try. And i will see if the system is creating a new problem as meanwhile i repaired my installation so the file is in place.
What will happen? Will the system replace it anyway? let's check it out ...
To make a suggestion- to release a file from quarantine there's could be an action in the alert?
For me this would make more sense than creating an "Endpoint Exception".
And the "rule exeption" in Kibana is "without value" as it will not prevent the quarantine?

That is a good idea. I'm making sure its included on the internal issue we have tracking how we want to make it better. At a minimum we don't think Rule Exceptions (which don't prevent Endpoint Preventions like the quarantine) probably shouldn't apply to Alerts from Endpoints.

Like in your case, it ends up just hiding a problem (you wouldn't have seen future detections and quarantines for nnotes.dll because of your Rule Exception). And Ideally if you're pivoting from an Endpoint Alert to create an exception, it should be an Endpoint Exception, not a Rule Exception.

well - handling the alarm i can normally come to the conclusion that it is an incident or a false alarm. In case of false alarm the gui could offer the option to:

  • release the file in quarantine
    and / or
  • create an endpoint exeption (matching to the path + filename)
    I normally would check the available actions. So this could be a good place.
    Thx.
    Günter

@NickFritts I would argue that being able to tune the Endpoint Security rule with Rule Exceptions is quite beneficial. It gives us the ability to "tune out" lower priority alerts (while still having them logged) that only need to be reviewed daily or weekly while allowing the higher priority alerts to come through to the dashboard for immediate attention. Removing that capability introduces the potential for alert fatigue in larger environments and could encourage making Endpoint Exceptions for things that the organization may not want to allow but need to out of a necessity to reduce the alert volume being handled by analysts.

I have a handful of use cases if you would like to discuss this more directly.

Hi @guessWho,

I'm still booting up my brain, but I'd love to hear your examples. The case I'm currently thinking of (just continuing with the malicious file activity) is that you have endpoints on your network that are frequently detecting the same malicious file and quarantining it, but you've agreed its malicious behavior, but you want to set a rule exception so you no longer get alerts when that file is quarantined?

@NickFritts

OneLaunch is a good example where it gets caught in the detections and is blocked. Most organizations would consider it good to be blocked (more of a hygiene thing) but not consider it an alert that requires immediate investigation or an indication that a host has been compromised. Adding a rule exception for it means it still gets blocked and logged by Defend but does not generate an alert.

Another use case is managing alert fatigue. Some organizations don't want an alert every time a security tool does its job or only want to know if it's something that they would consider a higher severity needing review and analysis.

My main concern with removing Rule Exceptions is that the only way to manage alerts would be adding Endpoint Exceptions or Trusted Applications which directly impact organizational risk. I think the documentation around the nuances of Rule Exceptions, Endpoint Exceptions, and Trusted Applications is a little tricky to understand which may be the cause of some of the confusion. I know that our team (we are an MSSP) has found great power in the granularity of being able to make these finely detailed manipulations to suit our and our customer's needs.

Hopefully that sheds some light on our use cases.

1 Like

crazy things are happening ...
I configured the exception and in the history i can see:

message
    PlatformQuarantineManager.cpp:1029 Could not restore C:\Program Files\HCL\Notes\nnotes.dll because destination path already exists
@timestamp
    Nov 21, 2023 @ 08:24:05.404
agent.ephemeral_id
    55a90a7d-11be-4207-aee0-f25f8544934d
agent.id
    1cdef3fc-1562-4880-a0e7-d7f50fee0d6b
agent.name
    Z440
agent.type
    endpoint
agent.version
    8.10.4
component.binary
    endpoint-security
component.dataset
    elastic_agent.endpoint_security
component.id
    endpoint-default
component.type
    endpoint
data_stream.dataset
    elastic_agent.endpoint_security

so - the system wanted to restore the file but as i did a repair before this was not possible. But - the file had been quarantined again?

message
    PlatformQuarantineManager.cpp:895 Successfully quarantined file: C:\Program Files\HCL\Notes\nnotes.dll
@timestamp
    Nov 21, 2023 @ 08:25:21.039
agent.ephemeral_id
    55a90a7d-11be-4207-aee0-f25f8544934d
agent.id
    1cdef3fc-1562-4880-a0e7-d7f50fee0d6b
agent.name
    Z440
agent.type
    endpoint
agent.version
    8.10.4
component.binary
    endpoint-security
component.dataset
    elastic_agent.endpoint_security
component.id
    endpoint-default
component.type
    endpoint
data_stream.dataset
    elastic_agent.endpoint_security
data_stream.namespace

So elastic has the exception configured but is again quarantaining the file and more strange - there's no alert for this in GUI. Only in log:

message
    FileScore.cpp:1269 Sending alert for [C:\PROGRAM FILES\HCL\NOTES\NNOTES.DLL]
@timestamp
    Nov 21, 2023 @ 08:25:18.746
agent.ephemeral_id
    55a90a7d-11be-4207-aee0-f25f8544934d
agent.id
    1cdef3fc-1562-4880-a0e7-d7f50fee0d6b
agent.name
    Z440
agent.type
    endpoint
agent.version
    8.10.4
component.binary
    endpoint-security
component.dataset
    elastic_agent.endpoint_security
component.id
    endpoint-default
component.type
    endpoint
data_stream.dataset
    elastic_agent.endpoint_security
data_stream.namespace
    default
data_stream.type
    logs
ecs.version
    1.11.0
elastic_agent.id
    1cdef3fc-1562-4880-a0e7-d7f50fee0d6b
elastic_agent.snapshot
    false
elastic_agent.version
    8.10.4
event.agent_id_status
    verified
event.d

What am i missing?

This is what i configured in "Endpoint Security Exception List":

OS IS Windows
process.executable IS C:\Program Files\HCL\Notes\nlnotes.exe
AND file.path IS C:\Program Files\HCL\Notes\nnotes.dll

To check i removed the "process.executable" and left only the file path.
It had been restored. Unfortunately there's still a problem with the restored dll. I will again repair the installation .

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.