Removed from quarantine list

Hi,

Just did a quick test... If you detect eicar.com on a client machine, an entry gets created in the QM on the client and you get an alert in SEC.  If however the file, lets say C:\eicar.com is deleted by the user or an application for example: The QM on the client doesn't update as it doesn't constantly check that everything that has been detected is still on disk, presumably for performance reasons.

So then in SEC you might issue a clean-up on C:\Eicar.com as it's still outstanding in SEC, this essentially fails as the file has already been deleted; hence "Removed from quarantine list".  It then clears the alert in SEC as essentially the threat has been dealt with.  It seems like just extra info to me that the file has been removed externally to SAV which can often be the case if a file is in a temp location and then purged.

Regards,

Jak

Hi,

Just did a quick test... If you detect eicar.com on a client machine, an entry gets created in the QM on the client and you get an alert in SEC.  If however the file, lets say C:\eicar.com is deleted by the user or an application for example: The QM on the client doesn't update as it doesn't constantly check that everything that has been detected is still on disk, presumably for performance reasons.

So then in SEC you might issue a clean-up on C:\Eicar.com as it's still outstanding in SEC, this essentially fails as the file has already been deleted; hence "Removed from quarantine list".  It then clears the alert in SEC as essentially the threat has been dealt with.  It seems like just extra info to me that the file has been removed externally to SAV which can often be the case if a file is in a temp location and then purged.

Regards,

Jak