cancel
Showing results for 
Search instead for 
Did you mean: 

AR Reaction: Delete File

A commonly desired action during an incident response is to delete a file.  This would often be used to help surgically eradicate a threat, or remove remaining traces after the fact.  In this example, we will create a simple AR Reaction to delete a file, and also display a simple dialog to the user.  This is optional, but is useful for testing and demonstration purposes. In this note we'll walk through all the steps necessary to create this reaction.  For your convenience, you might also like to simply import the fully configured reaction (download attached document, then import into the Active Response Catalog).

Creating Delete File and Notify User Reaction

  1. Open the Active Response Catalog and select the Reactions tab.  Click New Reaction.
    newreaction.png
  2. Next enter a name and a description for this Reaction
    delnot-summary.png
  3. For Reaction Content, select "Execute OS Command" and enter the following 2 lines:
    del "{{file}}"
    msg * "File {{file}} Deleted"
    delnot-content.png

    This is a very simplistic method for accomplishing file deletion, but serves our purposes here well.  It includes no error checking, and simply displays the dialog to the user regardless of whether the file was actually present on the end system.  Note the quote marks in the "del" command.  These ensure that the OS receives the full path, even if it has embedded spaces.
  4. Finally, we need to configure the argument for this reaction. This reaction will take in a single argument, the full name/path of the file to be deleted.
    delnot-args.png
    Note that the name of the argument matches the token {{file}} in the Reaction Content.  When the Reaction is executed on the endpoint, the value passed in for the file argument will be substituted into the specified commands before they are executed.
  5. Click the Save button at the top of the screen to save your work.

Testing the Delete and Notify Reaction

Once saved, your reaction will be immediately distributed to your endpoints via the DXL.  Next lets do a simple test of the Reaction.

  1. Create a sample file on your desktop.
    delnot-test1.png
  2. Open  Active Response Search and execute a search for your file.
    delnot-test2.png
  3. Highlight the full name of the file (including full path) and copy it into your paste buffer.
  4. Click the checkbox next to your file, and then select "Execute Reaction" from the Actions menu
    delnot-test3.png
  5. Select your Reaction and provide the paste in the full name and path that you copied earlier.
    delnot-test4.png
  6. Acknowledge the action you are taking.
    delnot-test5.png
  7. Monitor your test system.  Within a second or two you should see the file disappear from the desktop, and the dialog will be presented.
    delnot-test6.png

Going Further

For some additional thoughts on using Reactions within Active Response, see

Attachments
Version history
Revision #:
1 of 1
Last update:
‎07-29-2015 07:39 AM
Updated by:
 

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community