Managing objects in Storage and Quarantine

Storage is used for storing files that must be sent for scanning as well as files obtained as a result of running tasks: Get file, Restore file from quarantine, Get forensics, Get NTFS metafiles, Get registry key, Get process memory dump.

Storage is located on the Central Node server.

You can manage objects in Storage as follows: delete, download, upload, and send objects to be scanned, and filter lists of objects.

Kaspersky Anti Targeted Attack Platform displays the objects in Storage as a table of objects.

If you are using the

distributed solution

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

Two-level hierarchy of servers with Central Node components installed. This hierarchy allocates a primary control server (Primary Central Node (PCN)) and secondary servers (Secondary Central Nodes (SCN)).

multitenancy mode

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Operation mode in which Kaspersky Anti Targeted Attack Platform is used to protect the infrastructure of multiple organizations or branch offices of the same organization simultaneously.

Users with the Senior security officer role can place copies of objects into Storage using tasks or by uploading the object to Storage using the Kaspersky Anti Targeted Attack Platform web interface on the PCN or SCN server that is used for managing tenants to which the user has access.

Users with the Security officer role can only work with files received as part of tasks that the same user created on the PCN or SCN server which is used to manage tenants to which the user has access.

If you consider a file threatening, you can quarantine it on the computer with the Kaspersky Endpoint Agent program. Metadata of the quarantined file are displayed in the Storage section, Quarantine subsection of the Kaspersky Anti Targeted Attack Platform web interface.

Quarantine on Kaspersky Endpoint Agent hosts is a special local storage for files that you consider unsafe. Quarantined files are stored in encrypted form and do not threaten the security of the computer.

When a file is quarantined on a Kaspersky Endpoint Agent host, it is moved rather than copied: the object is deleted from the directory where it was detected and placed in the quarantine directory that is specified in Kaspersky Endpoint Agent settings.

Quarantine on a Kaspersky Anti Targeted Attack Platform server is an area of Storage of the server part of the Kaspersky Anti Targeted Attack Platform solution, which is used for storing metadata of objects quarantined on Kaspersky Endpoint Agent computer, in the Storage section, Quarantine subsection of the web interface of Kaspersky Anti Targeted Attack Platform.

You can manage quarantined objects: restore objects from quarantine and upload copies of objects quarantined on Kaspersky Endpoint Agent computers to Storage of Kaspersky Anti Targeted Attack Platform.

Kaspersky Anti Targeted Attack Platform displays the information about quarantined objects as a table.

The default maximum Storage space is 10 GB. As soon as this threshold value is exceeded, the program starts to remove the oldest copies of objects from Storage. When the amount of occupied space is again below the threshold value, the program stops removing copies of objects from Storage.

The actual size of the object can be greater than the apparent size of the object due to the metadata required to restore the object from Quarantine. When an object is quarantined, its actual size is considered. Encrypted files may be sent in decrypted form (depending on encryption settings), compressed files are sent as-is.

Viewing the table of objects that were placed in Storage

The table of objects placed in Storage is in the Storage section, Files subsection of the program web interface window.

The table of objects placed in Storage contains the following information:

1. Type—Location of the object in Storage.

   The following types of objects are available:

   •  – The object was placed in Storage in one of the following ways:
     • The Get file task was run.
     • A copy was received of an object that was quarantined on hosts with Kaspersky Endpoint Agent (in the Storage section, Quarantine subsection, Get file from quarantine action was selected in the menu for the link with the directory of the object).
   •  – The object was placed in Storage in one of the following ways:
     • The Get forensics task was run.
     • The Get process memory dump task was run.
     • The Get registry key task was run.
     • The Get NTFS metafiles task was run.
   • – The object was manually downloaded by the user in the Storage section, Files subsection.
2. Object—Information about the object. For example, the file name or file path.
3. Scan results—Object scan result.

   The scan result is displayed as one of the following values:

   • Not detected—As a result of a scan, the program did not detect signs of a targeted attack, probably infected objects, or suspicious activity.
   • Error—Object scan ended with an error.
   • In process—Object scan has not yet completed.
   • Not scanned—Object was not sent to be scanned.
   • Detected—As a result of a scan, the program detected signs of a targeted attack, a probably infected object, or suspicious activity.
4. Servers—Name of the Central Node, PCN, or SCN server. A host from which the object was received is connected to this server (displayed if you are using the distributed solution and multitenancy mode).
5. Source—IP address or name of the host from which the object was received, or the name of the user account that uploaded the object.
6. Record time—Date and time when the object was placed in Storage.

The right part of the object information row contains buttons:

• You can click to delete the object from Storage.
• You can click to send the object in Storage for scanning by the Anti-Malware Engine, YARA, and Sandbox technologies.
• You can click to download the object from Storage to your computer.

Clicking the link with the file name or file path opens a list in which you can select one of the following actions:

• Add to filter.
• Exclude from filter.
• Download.
• Send file for scanning.
• Find events:
  • File path
  • MD5
  • SHA256
• Find alerts:
  • File path
  • MD5
  • SHA256
• Copy value to clipboard.

Clicking the link with the host name opens a list in which you can select one of the following actions:

• Add to filter.
• Exclude from filter.
• Find events.
• Find alerts.
• Copy value to clipboard.

Viewing information about an object manually placed in Storage using the web interface

To view information about an object manually placed in Storage:

1. In the program web interface window, select the Storage section, Files subsection.
2. This opens the object table.
3. In the table, select the object with the icon for which you want to view information.

   This opens the object details window.

The window contains the following information:

• File name—Name of the file.
• Size—Size of the file.
• MD5—MD5 hash of a file.
• SHA256—SHA256 hash of a file.
• Time uploaded—Time of upload for objects that were manually uploaded by a user.
• User name—Name of the user account that manually uploaded the object to Storage.
• Scan results—Result of object scan by the program.

The Find on TIP button allows to find a file on the

Click Create prevention rule to prevent the file from running.

You can click Download to download the file to your computer's hard drive.

Clicking the link with the file name opens a list in which you can select one of the following actions:

• Find events.
• Find alerts.
• Copy value to clipboard.

Clicking the link with MD5 opens a list in which you can select one of the following actions:

• Find on TIP.
• Find events.
• Find alerts.
• Create prevention rule.
• Copy value to clipboard.

Clicking the link with SHA256 opens a list in which you can select one of the following actions:

• Find on TIP.
• Find on virustotal.com.
• Find events.
• Find alerts.
• Create prevention rule.
• Copy value to clipboard.

Viewing information about an object placed in Storage by a get file task

To view information about an object placed in Storage by a Get file or Get file from quarantine task:

1. In the program web interface window, select the Storage section, Files subsection.
2. This opens the object table.
3. In the table, select the object with the icon for which you want to view information.

   This opens the object details window.

The window contains the following information:

• Recommendations group. The following recommendations can be displayed:
  • The Task link opens the Tasks section; this is the task that has placed the object in Storage.
  • The Alert link opens the Alerts section; this is the alert containing the object that was placed in Storage.
  • The Quarantined object link opens the Storage section, Quarantine subsection; this is the metadata of the quarantined object.
• Object—File name or path.
• Size—Size of the file.
• MD5—MD5 hash of a file.
• SHA256—SHA256 hash of a file.
• Record time—Time when the object was placed in Storage.
• Tenant —Name of the tenant to which the Central Node, PCN, or SCN server belongs.
• Server—Name of the Central Node, PCN, or SCN server. The host from which the object was received is connected to this server.
• Host—Name of the host from which the object was received.
• Scan results—Result of object scan by the program.

You can click Sandbox detect to open a window with detailed information about the results of file behavior analysis.

The Find on TIP button allows to find a file on the Kaspersky Threat Intelligence Portal.

Click Create prevention rule to prevent the file from running.

You can click Download to download the file to your computer's hard drive.

Clicking the link with the file name or file path opens a list in which you can select one of the following actions:

• Find events.
• Find alerts.
• Copy value to clipboard.

Clicking the link with MD5 opens a list in which you can select one of the following actions:

• Find on TIP.
• Find events.
• Find alerts.
• Create prevention rule.
• Copy value to clipboard.

Clicking the link with SHA256 opens a list in which you can select one of the following actions:

• Find on TIP.
• Find on virustotal.com.
• Find events.
• Find alerts.
• Create prevention rule.
• Copy value to clipboard.

Viewing information about an object placed in Storage by a get data task

To view information about an object placed in Storage by Get forensics, Get process memory dump, Get registry key, Get NTFS metafiles tasks:

1. In the program web interface window, select the Storage section, Files subsection.
2. This opens the object table. In the table, select the object with the icon for which you want to view information.

   This opens the object details window.

The window contains the following information:

• Object—File name or path.
• Size—Size of the file.
• MD5—MD5 hash of a file.
• SHA256—SHA256 hash of a file.
• Record time—Time when the object was placed in Storage.
• Host—Name of the host from which the object was received.

You can click Download to download the file to your computer's hard drive.

Clicking the link with the file name or file path opens a list in which you can select one of the following actions:

• Find events.
• Find alerts.
• Copy value to clipboard.

Clicking the link with MD5 opens a list in which you can select one of the following actions:

• Find on TIP.
• Find events.
• Find alerts.
• Create prevention rule.
• Copy value to clipboard.

Clicking the link with SHA256 opens a list in which you can select one of the following actions:

• Find on TIP.
• Find on virustotal.com.
• Find events.
• Find alerts.
• Create prevention rule.
• Copy value to clipboard.

Downloading objects from Storage

If you consider an object in Storage to be safe, you can download it to a local computer.

Downloading infected objects could pose a threat to the security of your local computer.

To download an object from Storage:

1. In the program web interface window, select the Storage section, Files subsection.
2. This opens the object table. In the right part of the line with the name of the object that you want to download, click .

The object will be saved to your local computer in the browser's downloads folder. The file is downloaded as a ZIP archive protected with the password "infected".

Uploading objects to Storage

If you need to scan a specific object, you can upload this object to Storage and send it to be scanned.

To upload an object to Storage:

1. In the program web interface window, select the Storage section, Files subsection.
2. This opens the object table. In the upper-right corner of the window, click the Upload button.

   This opens the file selection window.

3. Select the object that you want to upload to Storage.
4. If you want to upload a file with the .Lnk extension to Storage:
   1. In the File name field, enter *.Lnk and press Enter.
   2. Select the object.
5. Click Open.

The object will be uploaded to Storage and will be displayed in the table of objects.

Users with the Security auditor role cannot upload objects to Storage.

Sending objects in Storage for scanning

You can scan Storage objects with the Central Node component using the Anti-Malware Engine and YARA technologies, and with the Sandbox component.

It is recommended to send objects from Storage to be scanned in the following cases:

• Scanning of objects when placed in Storage had been disabled.
• Program databases have been updated.
• An object was manually uploaded to Storage.

To send an object from Storage for scanning:

1. In the program web interface window, select the Storage section, Files subsection.
2. This opens the object table. Click the object that you want to scan.

   This opens the object details window.

3. Click Scan.

   The object scan will start.

   After the object scan is complete, its status will be displayed in the object table.

You can also send an object in Storage for scanning by clicking in the right part of the object information row in the table of objects placed in Storage.

Users with the Security auditor role cannot scan objects in Storage.

Deleting objects from Storage

To delete an object from Storage:

1. In the program web interface window, select the Storage section, Files subsection.
2. This opens the object table. Click the object that you want to delete.

   This opens the object details window.

3. Click Delete.

   This opens the action confirmation window.

4. Click Yes.

The object will be deleted from Storage.

You can also delete an object in Storage by clicking in the right part of the object information row in the table of objects placed in Storage.

To delete all or multiple objects from Storage:

1. In the program web interface window, select the Storage section, Files subsection.
2. This opens the object table. Select check boxes next to objects that you want to delete from Storage.

   You can select all objects by selecting the check box in the row containing the headers of columns.

3. In the pane that appears in the lower part of the window, click Delete.

   This opens the action confirmation window.

4. Click Yes.

The selected objects are removed from Storage.

Users with the Security auditor role cannot delete objects in Storage.

Filtering objects in Storage by object type

To filter objects in Storage by type:

1. In the program web interface window, select the Storage section, Files subsection.
2. This opens the object table. Click the Type link to open the object filtering menu.
3. Select one or more check boxes:
   • Uploaded by a Get file task if you want the table to display objects that were placed in Storage by Get file and Restore file from quarantine tasks.
   • Uploaded through the web interface if you want the table to display objects uploaded by the user using the Kaspersky Anti Targeted Attack Platform web interface.
   • Uploaded by a get data task if you want the table to display objects placed in Storage by Get forensics, Get NTFS metafiles, Get registry key, Get process memory dump tasks.
4. Click Apply.

The objects table will display only objects matching the filter criteria you have set.

You can use multiple filters at the same time.

Filtering objects in Storage by object description

To filter objects in Storage by object description:

1. In the program web interface window, select the Storage section, Files subsection.
2. This opens the object table. Click the Object link to open the object filtering menu.
3. In the drop-down list, select one of the following options:
   • File path
   • MD5
   • SHA256
4. In the drop-down list, select one of the following object filtering operators:
   • Contains
   • Does not contain
   • Equal to
   • Not equal to
   • Matches the pattern
   • Does not match the pattern
5. In the entry field, specify one or several characters of the object description.
6. To add a filter condition using a different criterion, click and specify the filter condition.
7. Click Apply.

The objects table will display only objects matching the filter criteria you have set.

You can use multiple filters at the same time.

Filtering objects in Storage based on scan results

To filter objects in Storage by scan results for these objects:

1. In the program web interface window, select the Storage section, Files subsection.
2. This opens the object table. Click the Scan results link to open the object filtering menu.
3. Select one or more check boxes:
   • Not detected
   • Error
   • In process
   • Not scanned
   • Detected
4. Click Apply.

The objects table will display only objects matching the filter criteria you have set.

You can use multiple filters at the same time.

Filtering objects in Storage based on the name of Central Node, PCN, or SCN server

To filter objects in Storage by the name of Central Node, PCN, or SCN server:

1. In the program web interface window, select the Storage section, Files subsection.
2. This opens the object table. Click the Servers link to open the object filtering menu.
3. Select one or multiple check boxes opposite those servers by which you want to filter objects in Storage.
4. Click Apply.

The objects table will display only objects matching the filter criteria you have set.

You can use multiple filters at the same time.

Filtering objects in Storage by object source

To filter objects in Storage by the source from which they were received:

1. In the program web interface window, select the Storage section, Files subsection.
2. This opens the object table. Click the Source link to open the object filtering menu.
3. In the drop-down list, select one of the following object filtering operators:
   • Contains
   • Does not contain
4. In the entry field, specify one or several characters of the IP address, host name or name of the user account that manually uploaded the object.
5. To add a filter condition using a different criterion, click and specify the filter condition.
6. Click Apply.

The objects table will display only objects matching the filter criteria you have set.

You can use multiple filters at the same time.

Filtering objects based on the time they were placed in Storage

To filter objects by the time when they were placed in Storage:

1. In the program web interface window, select the Storage section, Files subsection.
2. This opens the object table. Click the Record time link to open the object filtering menu.
3. Select one of the following object display periods:
   • All, if you want the table to display all objects that were placed in Storage.
   • Last hour, if you want the table to display objects that were placed in Storage during the last hour.
   • Last day, if you want the table to display objects that were placed in Storage during the last day.
   • Custom range, if you want the table to display objects that were placed in Storage during the period you specify.
4. If you have selected the Custom range object display period:
   1. In the calendar that opens, specify the start and end dates of the object display period.
   2. Click Apply.

The objects table will display only objects matching the filter criteria you have set.

You can use multiple filters at the same time.

Clearing a Storage objects filter

To clear the Storage objects filter for one or more filtering criteria:

1. In the program web interface window, select the Storage section, Files subsection.
2. This opens the object table. Click to the right of the header of the Storage objects table column for which you want to clear the filtering conditions.

   If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.

The selected filters are cleared.

The objects table will display only objects matching the filter criteria you have set.

Viewing the table of objects quarantined on computers with Kaspersky Endpoint Agent

The table of objects quarantined on computers with the Kaspersky Endpoint Agent program can be found in the Storage section, Quarantine subsection of the program web interface.

The Kaspersky Anti Targeted Attack Platform server stores metadata of objects quarantined on computers with the Kaspersky Endpoint Agent program. The objects themselves are kept in special storage on each computer where the threatening object was detected.

The table of objects quarantined on computers with the Kaspersky Endpoint Agent program contains the following information:

1. Object—Information about the object. For example, the file name or file path.
2. Source—IP address or host name of the computers with the Kaspersky Endpoint Agent program where the object is quarantined.
3. Record time—Date and time when the object was quarantined.
4. State—State of the object.

The right part of the object information row contains buttons:

• You can click to delete the metadata of the object on the Kaspersky Anti Targeted Attack Platform server.
• You can click to restore the object from Quarantine on a computer the Kaspersky Endpoint Agent program.
• You can click to copy the object from Quarantine on the computer with the Kaspersky Endpoint Agent program to the Kaspersky Anti Targeted Attack Platform server.

Clicking the link with the file name or file path opens a list in which you can select one of the following actions:

• Add to filter.
• Exclude from filter.
• Download.
• Send file for scanning.
• Find events:
  • File path
  • MD5
  • SHA256
• Find alerts:
  • File path
  • MD5
  • SHA256
• Copy value to clipboard.

Clicking the link with the host name opens a list in which you can select one of the following actions:

• Add to filter.
• Exclude from filter.
• Find events.
• Find alerts.
• Copy value to clipboard.

Viewing information about a quarantined object

To view information about an object quarantined on a computer with the Kaspersky Endpoint Agent program:

1. In the program web interface window, select the Storage section, Quarantine subsection.
2. This opens the object table. In the table, select the object whose information you want to view.

   This opens the object details window.

The window contains the following information:

• Recommendations group. The Task recommendation can be displayed, which is a link that opens the Tasks section; this is the task that has quarantined the object.
• Object—File name or path.
• Size—Size of the file.
• Time quarantined—Date and time when the object was quarantined.
• Tenant —Name of the tenant to which the Central Node, PCN, or SCN server belongs.
• Host—Computer name with the Kaspersky Endpoint Agent program on which the object is quarantined.
• File—State of the file (whether a copy was obtained on the Kaspersky Anti Targeted Attack Platform server). If a copy of the file has been obtained on the Kaspersky Anti Targeted Attack Platform server, you can click Find file in Storage to open the information about the file in Storage.
• State—State of the file (whether the file can be restored from Quarantine).

You can click Restore to restore the file from Quarantine.

You can click Get file to copy the file to the Kaspersky Anti Targeted Attack Platform server.

Clicking the link with the file name or file path opens a list in which you can select one of the following actions:

• Find events.
• Find alerts.
• Copy value to clipboard.

Restoring an object from Quarantine

To restore an object from Quarantine on a computer with the Kaspersky Endpoint Agent program:

1. In the program web interface window, select the Storage section, Quarantine subsection.

   This opens the object table.

2. In the table, select the object that you want to restore from Quarantine on the computer with the Kaspersky Endpoint Agent program.

   This opens the object details window.

3. Click Restore in the lower part of the window.

   This opens the Tasks section and the Restore file from quarantine task.

4. In the Description field, enter the task description.
5. Click Add.

The file is restored from Quarantine.

You can also run the task to restore the file from Quarantine by clicking in the right part of the row with object information of the table of objects quarantined on computers with Kaspersky Endpoint Agent.

Users with the Security auditor role cannot restore objects from Quarantine.

Obtaining a copy of a quarantined object on a Kaspersky Anti Targeted Attack Platform server

The object that you want to download a copy of must not exceed 100 MB. If the object exceeds 100 MB, the task finishes with an error.

To copy an object quarantined on a computer with the Kaspersky Endpoint Agent program to a Kaspersky Anti Targeted Attack Platform server:

1. In the program web interface window, select the Storage section, Quarantine subsection.

   This opens the object table.

2. In the table, select the object that you want to restore from Quarantine on the computer with the Kaspersky Endpoint Agent program.

   This opens the object details window.

3. Click Get file in the lower part of the window.

This creates a task for getting a copy of an object that was quarantined on a Kaspersky Endpoint Agent computer. If the task completes successfully, the copy of the object is uploaded to the Kaspersky Anti Targeted Attack Platform server. The object is displayed in the Storage section, Files subsection of the program web interface in the table of objects placed in Storage.

Information about the created task is displayed in the Tasks section of the web interface.

You can also copy an object from Quarantine on a computer with the Kaspersky Endpoint Agent program to the Kaspersky Anti Targeted Attack Platform server by clicking in the right part of the object information row in the table of objects quarantined on computers with Endpoint Agent.

Users with the Security auditor role cannot get copies of objects from Quarantine.

Removing information about the quarantined object from the table

To delete the information of an object quarantined on a computer with the Kaspersky Endpoint Agent program from the Kaspersky Anti Targeted Attack Platform table:

1. In the program web interface window, select the Storage section, Quarantine subsection.
2. This opens the object table. Click the object for which you want to delete information from the table.

   This opens the object details window.

3. Click Delete.

   This opens the action confirmation window.

4. Click Yes.

The information about the object quarantined on the computer with the Kaspersky Endpoint Agent program is deleted from the table.

You can also delete the information of an object quarantined on a computer with the Kaspersky Endpoint Agent program from the table by clicking in the right part of the object information row in the table of quarantined objects.

Users with the Security auditor role cannot delete information about a quarantined object from the table.

Filtering information about quarantined objects by object type

To filter quarantined object details by object type:

1. In the program web interface window, select the Storage section, Quarantine subsection.

   This opens the object table.

2. Click the Type link to open the object filtering menu.
3. Select one or more check boxes:
   • File if you want the table to display metadata of quarantined objects.
   • Process memory dump if you want the table to display metadata of quarantined dumps.
4. Click Apply.

The objects table will display only objects matching the filter criteria you have set.

You can use multiple filters at the same time.

Filtering information about quarantined objects by object description

To filter quarantined object details by object description:

1. In the program web interface window, select the Storage section, Quarantine subsection.
2. This opens the object table. Click the Object link to open the object filtering menu.
3. In the drop-down list, select one of the following object filtering operators:
   • Contains
   • Does not contain
4. In the entry field, specify one or several characters of the object description.
5. To add a filter condition using a different criterion, click and specify the filter condition.
6. Click Apply.

The objects table will display only objects matching the filter criteria you have set.

You can use multiple filters at the same time.

Filtering information about quarantined objects by host name

To filter quarantined object details by the name of the host where they were quarantined:

1. In the program web interface window, select the Storage section, Quarantine subsection.
2. This opens the object table. Click the Source link to open the object filtering menu.
3. In the drop-down list, select one of the following object filtering operators:
   • Contains
   • Does not contain
4. In the entry field, specify one or several characters of the host name.
5. To add a filter condition using a different criterion, click and specify the filter condition.
6. Click Apply.

The objects table will display only objects matching the filter criteria you have set.

You can use multiple filters at the same time.

Filtering information about quarantined objects by time

To filter quarantined object details by the time when they were quarantined:

1. In the program web interface window, select the Storage section, Quarantine subsection.
2. This opens the object table. Click the Record time link to open the object filtering menu.
3. Select one of the following object display periods:
   • All if you want the table to display all objects.
   • Last hour if you want the table to display objects that were quarantined during the last hour.
   • Last day if you want the table to display objects that were quarantined during the last day.
   • Custom range if you want the table to display objects that were quarantined during the period you specify.
4. If you have selected the Custom range object display period:
   1. In the calendar that opens, specify the start and end dates of the object display period.
   2. Click Apply.

The objects table will display only objects matching the filter criteria you have set.

You can use multiple filters at the same time.

Resetting the filter for information about quarantined objects

To clear the filter for one or more filtering criteria:

1. In the program web interface window, select the Storage section, Quarantine subsection.
2. This opens the object table. Click to the right of the header of the column of the quarantined objects table for which you want to reset the filter conditions.

   If you want to clear several filter conditions, perform the necessary actions to clear each filter condition.

The selected filters are cleared.

The objects table will display only objects matching the filter criteria you have set.