View and restore identified malware
An identified file is a file that has been found to be or to contain malware and has therefore been encrypted and moved to a special folder on the protected computer. Whether or not an infected file can be viewed and restored depends on the anti-malware configuration and the operating system on which the file was found:
- On Windows agents, you can view and restore Customize malware remedial actions files.
- On Linux agents, you can view and restore only quarantined files.
Topics on this page:
- See a list of identified files
- Working with identified files
- Search for an identified file
- Restore identified files
- Manually restore identified files
For information about events that are generated when malware is encountered, see Anti-malware events.
See a list of identified files
The Events and Reports page provides a list of identified files. From there you can see the details for any of those files:
- Click Events and Reports > Events > Anti-Malware Events > Identified Files.
- To see the details of a file, select the file and click View.
The list of identified files includes the following columns of information:
- Infected File: Shows the name of the infected file and the specific security risk.
- Malware: Names the malware infection.
- Computer: Indicates the name of the computer with the suspected infection.
- File Status: Indicates whether or not a file is ready for download.
The Details window provides the following information:
- Detection Time: The date and time on the infected computer that the infection was detected.
- Infected File(s): The name of the infected file.
- File SHA-1: The SHA-1 hash of the file.
- Malware: The name of the malware that was found.
- Scan Type: Indicates whether the malware was detected by a Real-time, Scheduled, or Manual scan.
- Action Taken: The result of the action taken by Deep Security when the malware was detected.
- Computer: The computer on which this file was found. (If the computer has been removed, this entry will read "Unknown Computer".)
- Container Name: Name of the Docker container where the malware was found.
- Container ID: ID of the Docker container where the malware was found.
- Container Image Name: Image name of the Docker container where the malware was found.
Working with identified files
The Identified Files page allows you to manage tasks related to identified files. Using the menu bar or the context menu, you can do the following:
- Restore identified files back to their original location and condition. Note that you cannot perform this action if your host uses the Agent/Appliance Initiated communication.
-
Download identified files from the computer
or Virtual Appliance to a location of your choice. To download files:
- Select the files you want to download.
- Go to Download > Request download. The File Status column indicates that the download is pending.
- Once the file is ready for download, the File Status column changes to Ready for download and the system event Identified file is ready for download appears.
- Select the identified files that are ready to be downloaded.
- Go to Download > Download.
Once a file is ready for download, you have 24 hours to download the file to your location of choice.
- Analyze identified files from the computer or Virtual Appliance.
- Delete one or more identified files from the computer or Virtual Appliance. Note that you cannot perform this action if your host uses the Agent/Appliance Initiated communication.
- Export information about the identified files (not the file itself) to a CSV file.
- View the details of an identified file.
- Computer Details displays the screen of the computer on which the malware was detected.
- View Anti-Malware Event displays the anti-malware event associated with this identified file.
- Add or Remove Columns by clicking Add/Remove.
- Search for a particular identified file.
Identified files are automatically deleted from a Deep Security Virtual Appliance when the following occurs:
- A VM is moved to another ESXi host by vMotion. Identified files associated with that VM are deleted from the virtual appliance.
- A VM is deactivated from the Deep Security Manager. Identified files associated with that VM are deleted from the virtual appliance.
- Deep Security Virtual Appliance is deactivated from the Deep Security Manager. All the identified files stored on that virtual appliance are deleted.
- Deep Security Virtual Appliance is deleted from the vCenter. All identified files stored on that virtual appliance are deleted.
Search for an identified file
- Use the Period drop-down menu to see only the files that were identified within a specific time frame.
- Use the Computers drop-down menu to organize files by Computer Groups or Computer Policies.
- Click Search this page > Open Advanced Search to toggle the display of the advanced search options:
Advanced searches include one or more search criteria for filtering identified files. Each criterion is a logical statement comprised of the following items:
- The characteristic of the identified file to filter on, such as the type of file (infected file or malware) or the computer that was affected.
- An operator:
- Contains: The entry in the selected column contains the search string.
- Does Not Contain: The entry in the selected column does not contain the search string.
- Equals: The entry in the selected column exactly matches the search string.
- Does Not Equal: The entry in the selected column does not exactly match the search string.
- In: The entry in the selected column exactly matches one of the comma-separated search string entries.
- Not In: The entry in the selected column does not exactly match any of the comma-separated search string entries.
- A value.
To add a criterion, click the "plus" button (+) to the right of the topmost criterion.To search, click the Search button (the circular arrow).
Restore identified files
Create a scan exclusion for the file
Before you can restore a file to its original location, you have to create a scan exclusion so that Deep Security doesn't immediately re-identify the file when it reappears on the computer.
- Open the Computers page and go to Anti-Malware > Identified Files and double click the identified file to view its properties.
- Note the file's exact name and original location.
- Still in the Computers page, go to Anti-Malware > General and click the Edit button next to each Malware Scan that's in effect to open the Malware Scan Configuration properties window.
- In the Malware Scan Configuration properties window, click on the Exclusions tab.
- In the Scan Exclusions area, select File List and then either press edit if a file list is already selected, or select New from the menu to create a new File List.
- In the File List properties window, enter the file path and name of the file to be restored. Click OK to close the File List properties window.
- Close the Malware Scan Configuration properties window by clicking OK.
- When you've edited all the Malware Scan Configurations, click Save in the Computers page to save your changes. You're now ready to restore your file.
Restore the file
- Still in the Computers page, go to the Anti-Malware > Identified Files tab.
- Right-click the identified file and select Actions > Restore and follow the steps in the wizard.
Your file is restored to its original location.
Manually restore identified files
To manually restore an identified file, download the file to your computer. The Identified File wizard will display a link to an Administration Utility which you can use to decrypt, examine, or restore the file. Use the quarantined file decryption utility to decrypt the file and then move it back to its original location.
The decryption utility is in a zip file, QFAdminUtil_win32.zip, located in the "util" folder under the Deep Security Manager root directory. The zipped file contains two utilities which perform the same function: QDecrypt.exe and QDecrypt.com. Running QDecrypt.exe invokes an open file dialog that lets you select the file for decryption. QDecrypt.com is a command-line utility with the following options:
- /h, --help: show this help message
- --verbose: generate verbose log messages
- /i, --in=<str>: quarantined file to be decrypted, where <str> is the name of the quarantined file
- /o, --out=<str>: decrypted file output, where <str> is the name given to the resulting decrypted file