Retrieving locally quarantined data from remote computers
Data that is quarantined on local disks of remote computers can be retrieved using the
OnDiskQuarantineManager
utility. The OnDiskQuarantineManager is a Python utility that can manage local on-disk quarantine stores of one or more Symantec Protection Engine (SPE) computers from a central location. This utility is dependent on the OnDiskQuarantineManager executable to manage the remote on-disk quarantine stores. The OnDiskQuarantineManager executable runs on the remote SPE computers and captures the output. Make sure that the OnDiskQuarantineManager executable is located on the remote computer, and its path is provided to the OnDiskQuarantineManager.py utility. You can download this OnDiskQuarantineManager utility from the Tools.zip that is located in the Broadcom Download servers, and can execute the utility for both Windows and Linux, platforms.
Based on the deployment scenarios in your environment the prerequisites differ.
Deployment scenarios and prerequisites
- Scenario 1: OnDiskQuarantineManager utility and all SPE instances are running on Windows computers:
- OnDiskQuarantineManager's prerequisites
- Python 3.7.8
- pywin32 module
- pywinrm module
- npath module
- SPE computer prerequisites
- Configure WinRM for basic authentication.
- Ensure that the OnDiskQuarantineManager executable is present., and the full path of this location should not contain white spaces.
- Scenario 2: OnDiskQuarantineManager utility and all SPE instances are running on Linux computers
- OnDiskQuarantineManager prerequisites
- Python 3.7.8
- Paramiko module
- SPE computer prerequisites
- SSH server service must be running
- Configure firewall setting for domain profile - An inbound rule to allow SSH connection needs to be configured on Symantec Protection Engine computers.
- Make sure that the OnDiskQuarantineManager executable is present.The full path of this location must not contain white spaces.
- Scemario 3: The OnDiskQuarantineManager utility is running on a Linux computer and the SPE instanes are running on Windows and Linux computers
- OnDiskQuarantineManager prerequisites
- Python 3.7.8
- paramiko module
- npath module
- SPE computer prerequisites on Windows and Linux
- SSH server service or daemon must be running.
- Configure the firewall setting for the domain profile - An inbound rule to allow SSH connection needs to be configured on Symantec Protection Engine computer.
- OnDiskQuarantineManager executable is present. The fullpath of this location must not contain white spaces.
- Scenario 4: OnDiskQuarantineManager utility running on Windows machine and SPE instanes are running on Windows and Linux machines
- OnDiskQuarantineManager prerequisites
- Python 3.7.8
- pywin32 module
- pywinrm module
- npath module
- paramiko module
- SPE computer prerequisites on Windows
- Configure Windows remote management (WinRM).
- Configure WinRM for basic authentication
- The OnDiskQuarantineManager executable must be present. The fullpath of this location should not contain white spaces
- SPE computer prerequisites on Linux
- SSH server service must be running.
- Configure the firewall setting for the domain profile - An inbound rule to allow SSH connection needs to be configured on Symantec Protection Engine computers.
- The OnDiskQuarantineManager executable is present. The fullpath of this location must not contain white spaces
Syntax and usages of OnDiskQuarantineManager utility
python OnDiskQuarantineManager.py --inputfile <filepath> [--speip <spe_ip>] command [args]
--inputfile | Path to the CSV file containing information about the remote SPE computers. This parameter is mandatory. The input file is a CSV file with the following information (in defined order): IP,OS,OnDiskQuarantineManagerLocation,QLocation,Restorelocation,user,password Options
|
--speip | This parameter is required if the command is to be executed on the specific SPE computer. IP address of the SPE computer on which the command is executed. This IP must be present in the inputfile with all the required information. |
command | The quarantine store related command to be executed on remote computer. This parameter is mandatory.The supported commands are:
If the "speip' is provided, the command is executed on the specified SPE computer, else it is executed on the all the SPE computers listed in the input file. For getitemdetails, getitem and deleteitem commands specifying the speip is mandatory. |
args | The arguments if any required by the command to be executed. |
Syntax and usages of OnDiskQuarantineManager executable tool
Download this tool and place it on the SPE computer on which the file is quarantined on local disks.
Always run this utility with user who has permission to access the files in the quarantine location.
OnDiskQuarantineManager.exe --location:<QStore_location> --action:<action> [--id:<item_uuid> --restorepath:<dir_to_restore_file>]
--location:<QStore_location> | Provide the path of the quarantine store directory for '<QStore_location>". |
--action:<action> | The following actions can be specified for <action>:
|
--id:<id> | UUID of item in the quarantine store. Use "getitemlist" to get UUIDs of items that are in the quarantine store. |
--restorepath:<direcory_path> | Directory to keep the restored files. |
Examples of OnDiskQuarantineManager executable tool commands
- getitemlist command and its output./OnDiskQuarantineManager --location:/tmp/QLoc/ --action:getitemlistOn Linux, you may need to execute export LD_LIBRARY_PATH=/opt/SYMCScan/bin before using this utilityOutput:37378ab9-0d7b-4bd4-8743-edc6d361639f,eicar.com,68 6a22a566-7f6d-4999-b980-d86757ba2603,XLSMacro.xls,35328This is a command separated list of UUID of quarantied item, its name, and size. UUID from this output will be required for other supported actions
- getitemdetails command and its output./OnDiskQuarantineManager --location:/tmp/QLoc/ --action:getitemdetails --id:37378ab9-0d7b-4bd4-8743-edc6d361639fOutput: JSON String containing details of quarantined item. Example:[{ "detection_uid": "37378ab9-0d7b-4bd4-8743-edc6d361639f", "file": { "name": "eicar.com", "parent_name": "", "path": "eicar.com", "sha2": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "size": 68 }, "product_data": { "content_mask": "0xbd", "sample_file": "content" }, "quarantine_uid": "37378ab9-0d7b-4bd4-8743-edc6d361639f", "spe": { "actualfilename": "eicar.com" }, "type": "FILE_DETECTION", "version": "1.0", "category_id": 1, "device_time": 1618570792079, "id": 12, "severity_id": 0, "type_id": 8031 },{ "detection_uid": "37378ab9-0d7b-4bd4-8743-edc6d361639f", "feature_name": "MALWARE_PROTECTION", "feature_uid": "A36D2836-4F03-42DE-B55F-3957FC1489C8", "file": { "name": "eicar.com", "parent_name": "eicar.com", "path": "eicar.com", "sha2": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "size": 68 }, "quarantine_uid": "37378ab9-0d7b-4bd4-8743-edc6d361639f", "spe": { "actualfilename": "eicar.com" }, "threat": { "name": "EICAR Test String", "id": 11101, "risk_id": 0, "type_id": 1 }, "type": "FILE_DETECTION", "version": "1.0", "category_id": 1, "device_time": 1618570792079, "id": 12, "reason_id": 2, "severity_id": 0, "type_id": 8031 }]
- getitem command and its output./OnDiskQuarantineManager --location:/tmp/QLoc/ --action:getitem --id:37378ab9-0d7b-4bd4-8743-edc6d361639f --restorepath:/tmp/RestoreLocationFiles restored are actual threat files which SPE has detected and configured therefore these files should be handled with care. Also, the directory on which the files are restored should be excluded from any endpoint AV program, such as SEP, otherwise the restored files can get deleted by the endpoint AV.Output: path of restored file: /tmp/RestoreLocation/eicar.com
- deleteitem command and its output./OnDiskQuarantineManager --location:/tmp/QLoc/ --action:deleteitem --id:37378ab9-0d7b-4bd4-8743-edc6d361639fOutput: Successfully deleted item 37378ab9-0d7b-4bd4-8743-edc6d361639
Example of of OnDiskQuarantineManager utility commands
- Command to retrieve list of files quarantined on the remote computerspython OnDiskQuarantineManager.py --inputfile /OnDiskQuarantineManager/input.txt getitemlistOutput10.xx.xx.x,95db32d9-4e1c-4e64-b11e-26f87304197a,eicar.com,6810.xx.xx.x,3ef0ee4d-c0c9-49db-8500-5cb691cb5d62,eicar.com,6810.xx.xx.xx,236e7ae6-dc09-4dd9-88c7-2fa2cb46d013,eicar.com,6810.xx.xx.xx,367d4c2c-eff7-4ff3-b158-179a18144678,malware.exe,48Values in the output are as follows:IP address of remote machine, UUID of quarantined item, Name of the quarantined file, File size(in bytes)When the command is executed without option "--speip" then, it lists items of all the computers provided in the input file. If you want to execute the "getitemlist" on any specific remote computer use the option "--speip".
- Command to retrieve details of a particular itempython OnDiskQuarantineManager.py --inputfile /OnDiskQuarantineManager/input.txt --speip 10.xx.xx.x getitemdetails 95db32d9-4e1c-4e64-b11e-26f87304197aFiles restored are actual threat files which SPE has detected and configured therefore these files should be handled with care. Also, the directory on which the files are restored should be excluded from any endpoint AV program, such as SEP, otherwise the restored files can get deleted by the endpoint AV.Output: JSON format string containing the information about the quarantined item.
- Command to restore a quarantined item from the remote SPE computer to the local computerpython OnDiskQuarantineManager.py --inputfile /OnDiskQuarantineManager/input.txt --speip 10.xx.xx.x getitem 95db32d9-4e1c-4e64-b11e-26f87304197a /tmpOutput: Filepath of restored itemExample: Restored file as /tmp/95db32d9-4e1c-4e64-b11e-26f87304197a-eicar.com.restored
- Command to delete a quarantined item from the remote computer's quarantine storepython OnDiskQuarantineManager.py --inputfile /OnDiskQuarantineManager/input.txt --speip 10.xx.xx.x deleteitem 95db32d9-4e1c-4e64-b11e-26f87304197aOutput: Success or failure messageExample: Successfully deleted item 95db32d9-4e1c-4e64-b11e-26f87304197a