4 Replies Latest reply on Dec 14, 2012 12:14 PM by trevorw2000

    Quarantine?

    trevorw2000

      Is it possible to retrieve a file from the appliance if it was flagged as a potential virus or forbidden media-type?  For example, a user downloads a 1GB file and it gets hit by what we know is a false positive and we’d like to be able to grab the file off the gateway without having to re-download it…Is that possible?  We're running MWG 7.3.

       

      Thanks!

        • 1. Re: Quarantine?
          Jon Scholten

          Hi Trevor,

           

          Are you asking if you can obtain the specific file (embedded within the 1GB file) that caused the detection? Yes. See https://kc.mcafee.com/corporate/index?page=content&id=KB62662 specifically the "Virus to file" PDF.

           

          Can you store the 1GB file, maybe. Would you want to? I dont think it would be a good idea.

           

          Best,

          Jon

          1 of 1 people found this helpful
          • 2. Re: Quarantine?
            trevorw2000

            Hi Jon,

             

            Thanks for the response!  That KB article takes care of something flagged as a virus.  What about something that's downloaded completely and then when it's opened and scanned it detects a media-type that is filtered?  I ask this because we had a very large download that was a critical system update that just happened to have an audio file in their documentation folder within the archive.  We've since removed the block for audio files, but if we hadn't would there be a way to get to that file or does the gateway delete it as soon as it sees a policy violation?

             

            My guess is there's only two answers for this...No, we can't get to it.  Or yes, but it's the same way as mentioned in the about KB article.  Either answer will definitely be appreciated.  Thanks!

             

            Trevor

            • 3. Re: Quarantine?
              Jon Scholten

              Hi again Trevor,

               

              For the situation where MWG downloads something and THEN finds a violation for an embedded file, I would have to say no to being able to store the original file.

               

              The reason is, we only are able to "quarantine" a file when we find it.

               

              So MWG is scanning a file, opening it, doing its thing...

               

              We would have to write the original file to quarantine (the 1GB file) in order to accomplish what you want. BUT, the original file isnt what the MWG detected as a violation, it found an embedded object as being in violation.

               

              MWG would delete the file as soon as it finished scanning the file and found a violation.

               

              Best,

              Jon

              • 4. Re: Quarantine?
                trevorw2000

                Perfect.  Thank you!