Retrieving locally quarantined data from remote computers

Data that is quarantined on local disks of remote computers can be retrieved using the
OnDiskQuarantineManager
utility. The OnDiskQuarantineManager is a Python utility that can manage local on-disk quarantine stores of one or more Symantec Protection Engine (SPE) computers from a central location. This utility is dependent on the OnDiskQuarantineManager executable to manage the remote on-disk quarantine stores. The OnDiskQuarantineManager executable runs on the remote SPE computers and captures the output. Make sure that the  OnDiskQuarantineManager executable is located on the remote computer, and its path is provided to the OnDiskQuarantineManager.py utility.
You can download this OnDiskQuarantineManager utility from the Tools.zip that is located in the Broadcom Download servers, and can execute the utility for both Windows and Linux, platforms.
Based on the deployment scenarios in your environment the prerequisites differ.
Deployment scenarios and prerequisites
  1. Scenario 1
    : OnDiskQuarantineManager utility and all SPE instances are running on Windows computers:
    1. OnDiskQuarantineManager's prerequisites
      1. Python 3.7.8
      2. pywin32 module
      3. pywinrm module
      4. npath module
    2. SPE computer prerequisites
      1. Configure WinRM for basic authentication.
      2. Ensure that the OnDiskQuarantineManager executable is present., and the full path of this location should not contain white spaces.
  2. Scenario 2
    : OnDiskQuarantineManager utility and all SPE instances are running on Linux computers
    1. OnDiskQuarantineManager prerequisites
      1. Python 3.7.8
      2. Paramiko module
    2. SPE computer prerequisites
      1. SSH server service must be running
      2. Configure firewall setting for domain profile - An inbound rule to allow SSH connection needs to be configured on Symantec Protection Engine computers.
      3. Make sure that the OnDiskQuarantineManager executable is present.The full path of this location must not contain white spaces.
  3. Scemario 3
    : The OnDiskQuarantineManager utility is running on a Linux computer and the SPE instanes are running on Windows and Linux computers
    1. OnDiskQuarantineManager prerequisites
      1. Python 3.7.8
      2. paramiko module
      3. npath module
    2. SPE computer prerequisites on Windows and Linux
      1. SSH server service or daemon must be running.
      2. Configure the firewall setting for the domain profile - An inbound rule to allow SSH connection needs to be configured on Symantec Protection Engine computer.
      3. OnDiskQuarantineManager executable is present. The fullpath of this location must not contain white spaces.
  4. Scenario 4
    : OnDiskQuarantineManager utility running on Windows machine and SPE instanes are running on Windows and Linux machines
    1. OnDiskQuarantineManager prerequisites
      1. Python 3.7.8
      2. pywin32 module
      3. pywinrm module
      4. npath module
      5. paramiko module
    2. SPE computer prerequisites on Windows
      1. Configure Windows remote management (WinRM).
      2. Configure WinRM for basic authentication
      3. The OnDiskQuarantineManager executable must be present. The fullpath of this location should not contain white spaces
    3. SPE computer prerequisites on Linux
      1. SSH server service must be running.
      2. Configure the firewall setting for the domain profile - An inbound rule to allow SSH connection needs to be configured on Symantec Protection Engine computers.
      3. The OnDiskQuarantineManager executable is present. The fullpath of this location must not contain white spaces
Syntax and usages of OnDiskQuarantineManager utility
python OnDiskQuarantineManager.py --inputfile <filepath> [--speip <spe_ip>] command [args]
--inputfile
Path to the CSV file containing information about the remote SPE computers. This parameter is mandatory.
The input file is a CSV file with the following information (in defined order): IP,OS,OnDiskQuarantineManagerLocation,QLocation,Restorelocation,user,password
Options
  • IP - IP address of the remote SPE computer.
  • OS -  Remote machine operating system. Allowed values are Linux and Windows.
  • OnDiskQuarantineManagerLocation - Location where OnDiskQuarantineManager executable is present on the remote computer.This path must not contain white spaces.
  • QLocation - Local Disk Quarantine directory on the remote computer.
  • Restorelocation - Directory to keep the restored file on the remote computer.
  • user - username to login on the remote SPE computer.
  • password -  password to be used for login.
:
--speip
This parameter is required if the command is to be executed on the specific SPE computer.
IP address of the SPE computer on which the command is executed. This IP must be present in the inputfile with all the required information.
command
The quarantine store related command to be executed on remote computer. This parameter is mandatory.The supported commands are:
  • getitemlist: lists all files of local quarantine store for all or specified SPE computers.
  • getitemdetails (getitemdetails <item_guid>): gets more information about the item specified by the guid.
  • getitem (getitemdetails <item_guid>): restores the specified item to the location.
  • deleteitem (deleteitem <item_guid>):deletes the item specified by the guid.
If the "speip' is provided, the command is executed on the specified SPE computer, else it is executed on the all the SPE computers listed in the input file. For getitemdetails, getitem and deleteitem commands specifying the speip is mandatory.
args
The arguments if any required by the command to be executed.
Syntax and usages of OnDiskQuarantineManager executable tool
Download this tool and place it on the SPE computer on which the file is quarantined on local disks.
Always run this utility with user who has permission to access the files in the quarantine location.
OnDiskQuarantineManager.exe --location:<QStore_location> --action:<action> [--id:<item_uuid> --restorepath:<dir_to_restore_file>]
--location:<QStore_location>
Provide the path of the quarantine store directory for '<QStore_location>".
--action:<action>
The following actions can be specified for <action>:
  • getitemlist  - lists all items in quarantine store. Prints comma separated list of UUID, Filename and size
  • getitemdetails - provides details for the item identified by the "--id" option in JSON format
  • getitem - restores the item identified by "--id" option at the location specified by "--restorepath".
  • deleteitem  - deletes the item identified by "--id" option from the quarantine store.
--id:<id>
UUID of item in the quarantine store. Use "getitemlist" to get UUIDs of items that are in the quarantine store.
--restorepath:<direcory_path>
Directory to keep the restored files.
Examples of OnDiskQuarantineManager executable tool commands
  1. getitemlist command and its output
    ./OnDiskQuarantineManager --location:/tmp/QLoc/ --action:getitemlist
    On Linux, you may need to execute export LD_LIBRARY_PATH=/opt/SYMCScan/bin before using this utility
    Output
    :
    37378ab9-0d7b-4bd4-8743-edc6d361639f,eicar.com,68 6a22a566-7f6d-4999-b980-d86757ba2603,XLSMacro.xls,35328
    This is a command separated list of UUID of quarantied item, its name, and size. UUID from this output will be required for other supported actions
  2. getitemdetails command and its output
    ./OnDiskQuarantineManager --location:/tmp/QLoc/ --action:getitemdetails --id:37378ab9-0d7b-4bd4-8743-edc6d361639f
    Output
    :  JSON String containing details of quarantined item. Example:
    [{ "detection_uid": "37378ab9-0d7b-4bd4-8743-edc6d361639f", "file": { "name": "eicar.com", "parent_name": "", "path": "eicar.com", "sha2": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "size": 68 }, "product_data": { "content_mask": "0xbd", "sample_file": "content" }, "quarantine_uid": "37378ab9-0d7b-4bd4-8743-edc6d361639f", "spe": { "actualfilename": "eicar.com" }, "type": "FILE_DETECTION", "version": "1.0", "category_id": 1, "device_time": 1618570792079, "id": 12, "severity_id": 0, "type_id": 8031 },{ "detection_uid": "37378ab9-0d7b-4bd4-8743-edc6d361639f", "feature_name": "MALWARE_PROTECTION", "feature_uid": "A36D2836-4F03-42DE-B55F-3957FC1489C8", "file": { "name": "eicar.com", "parent_name": "eicar.com", "path": "eicar.com", "sha2": "275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f", "size": 68 }, "quarantine_uid": "37378ab9-0d7b-4bd4-8743-edc6d361639f", "spe": { "actualfilename": "eicar.com" }, "threat": { "name": "EICAR Test String", "id": 11101, "risk_id": 0, "type_id": 1 }, "type": "FILE_DETECTION", "version": "1.0", "category_id": 1, "device_time": 1618570792079, "id": 12, "reason_id": 2, "severity_id": 0, "type_id": 8031 }]
  3. getitem command and its output
    ./OnDiskQuarantineManager --location:/tmp/QLoc/ --action:getitem --id:37378ab9-0d7b-4bd4-8743-edc6d361639f --restorepath:/tmp/RestoreLocation
    Files restored are actual threat files which SPE has detected and configured therefore these files should be handled with care. Also, the directory on which the files are restored should be excluded from any endpoint AV program, such as SEP, otherwise the restored files can get deleted by the endpoint AV.
    Output
    :  path of restored file: /tmp/RestoreLocation/eicar.com
  4. deleteitem command and its output
    ./OnDiskQuarantineManager --location:/tmp/QLoc/ --action:deleteitem --id:37378ab9-0d7b-4bd4-8743-edc6d361639f
    Output
    : Successfully deleted item 37378ab9-0d7b-4bd4-8743-edc6d361639
Example of of OnDiskQuarantineManager utility commands
  1. Command to retrieve list of files quarantined on the remote computers
    python OnDiskQuarantineManager.py --inputfile /OnDiskQuarantineManager/input.txt getitemlist
    Output
    10.xx.xx.x,95db32d9-4e1c-4e64-b11e-26f87304197a,eicar.com,68
    10.xx.xx.x,3ef0ee4d-c0c9-49db-8500-5cb691cb5d62,eicar.com,68
    10.xx.xx.xx,236e7ae6-dc09-4dd9-88c7-2fa2cb46d013,eicar.com,68
    10.xx.xx.xx,367d4c2c-eff7-4ff3-b158-179a18144678,malware.exe,48
    Values in the output are as follows
    :
    IP address of remote machine, UUID of quarantined item, Name of the quarantined file, File size(in bytes)
    When the command is executed without option "--speip" then, it lists items of all the computers provided in the input file. If you want to execute the "getitemlist" on any specific remote computer use the option "--speip".
  2. Command to retrieve details of a particular item
    python OnDiskQuarantineManager.py --inputfile /OnDiskQuarantineManager/input.txt --speip 10.xx.xx.x getitemdetails 95db32d9-4e1c-4e64-b11e-26f87304197a
    Files restored are actual threat files which SPE has detected and configured therefore these files should be handled with care. Also, the directory on which the files are restored should be excluded from any endpoint AV program, such as SEP, otherwise the restored files can get deleted by the endpoint AV.
    Output
    : JSON format string containing the information about the quarantined item.
  3. Command to restore a quarantined item from the remote SPE computer to the local computer
    python OnDiskQuarantineManager.py --inputfile /OnDiskQuarantineManager/input.txt --speip 10.xx.xx.x getitem 95db32d9-4e1c-4e64-b11e-26f87304197a /tmp
    Output
    : Filepath of restored item
    Example: Restored file as /tmp/95db32d9-4e1c-4e64-b11e-26f87304197a-eicar.com.restored
  4. Command to delete a quarantined item from the remote computer's quarantine store
    python OnDiskQuarantineManager.py --inputfile /OnDiskQuarantineManager/input.txt --speip 10.xx.xx.x deleteitem 95db32d9-4e1c-4e64-b11e-26f87304197a
    Output
    : Success or failure message 
    Example: Successfully deleted item 95db32d9-4e1c-4e64-b11e-26f87304197a