cancel
Showing results for 
Search instead for 
Did you mean: 
trevorw2000
Level 10

Quarantine?

Jump to solution

Is it possible to retrieve a file from the appliance if it was flagged as a potential virus or forbidden media-type?  For example, a user downloads a 1GB file and it gets hit by what we know is a false positive and we’d like to be able to grab the file off the gateway without having to re-download it…Is that possible?  We're running MWG 7.3.

Thanks!

0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: Quarantine?

Jump to solution

Hi again Trevor,

For the situation where MWG downloads something and THEN finds a violation for an embedded file, I would have to say no to being able to store the original file.

The reason is, we only are able to "quarantine" a file when we find it.

So MWG is scanning a file, opening it, doing its thing...

We would have to write the original file to quarantine (the 1GB file) in order to accomplish what you want. BUT, the original file isnt what the MWG detected as a violation, it found an embedded object as being in violation.

MWG would delete the file as soon as it finished scanning the file and found a violation.

Best,

Jon

4 Replies
McAfee Employee

Re: Quarantine?

Jump to solution

Hi Trevor,

Are you asking if you can obtain the specific file (embedded within the 1GB file) that caused the detection? Yes. See https://kc.mcafee.com/corporate/index?page=content&id=KB62662 specifically the "Virus to file" PDF.

Can you store the 1GB file, maybe. Would you want to? I dont think it would be a good idea.

Best,

Jon

trevorw2000
Level 10

Re: Quarantine?

Jump to solution

Hi Jon,

Thanks for the response!  That KB article takes care of something flagged as a virus.  What about something that's downloaded completely and then when it's opened and scanned it detects a media-type that is filtered?  I ask this because we had a very large download that was a critical system update that just happened to have an audio file in their documentation folder within the archive.  We've since removed the block for audio files, but if we hadn't would there be a way to get to that file or does the gateway delete it as soon as it sees a policy violation?

My guess is there's only two answers for this...No, we can't get to it.  Or yes, but it's the same way as mentioned in the about KB article.  Either answer will definitely be appreciated.  Thanks!

Trevor

0 Kudos
McAfee Employee

Re: Quarantine?

Jump to solution

Hi again Trevor,

For the situation where MWG downloads something and THEN finds a violation for an embedded file, I would have to say no to being able to store the original file.

The reason is, we only are able to "quarantine" a file when we find it.

So MWG is scanning a file, opening it, doing its thing...

We would have to write the original file to quarantine (the 1GB file) in order to accomplish what you want. BUT, the original file isnt what the MWG detected as a violation, it found an embedded object as being in violation.

MWG would delete the file as soon as it finished scanning the file and found a violation.

Best,

Jon

trevorw2000
Level 10

Re: Quarantine?

Jump to solution

Perfect.  Thank you!

0 Kudos