Troubleshooting
Problem
Application executables removed by Anti-malware Guardian do not appear on the Quarantine page on the Dashboard.
Symptom
It is not possible to recover the deleted file from that page because the file does not appear on the Quarantine page.
Environment
- QRadar EDR v3.x.x
- Windows Agent v3.x.x
- Anti-malware Guardian v1.5.7
Diagnosing The Problem
- Checks if the deleted file exists on the Administration --> Quarantine page.
- Check if the deleted file exists from the Quarantine tab under "Endpoint Details".
Resolving The Problem
If the file has been deleted by Anti-malware Guardian but is not exist on the Quarantine page (or tab), please perform the following workaround.
- Files Recovery
- Search for the deleted file by filename or hash value information using Threat Hunt on the dashboard.
- Copy the file from the endpoint where it resides.
- Back up the file and copy it to its original location for recovery.
- Search for the deleted file by filename or hash value information using Threat Hunt on the dashboard.
- Create the exception list
- Create the exception list of deleted files in order to let the anti-malware avoid deleting files.
Example of path: <process>C:\full\path\application.exe or C:\\full\path\*
- Please observe for a few days to make sure the file is not deleted.
- Create the exception list of deleted files in order to let the anti-malware avoid deleting files.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSVOEH","label":"IBM Security ReaQta"},"ARM Category":[{"code":"a8m3p000000hBSAAA2","label":"Administrative Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
03 April 2024
UID
ibm17145679