Quarantine > Detection Configuration

Yesterday, I downloaded a package to my desktop as per post #2 in > Windows XP Pro Critical Updates (after SP3)


WSA detected the following two files:



Automated Cleanup Engine
Starting Cleanup at 17/09/2012 - 19:56:18 GMT

Starting Routine> Removing c:\documents and settings\<MyName>\desktop\wsusoffline742\wsusoffline\client\updateinstaller.exe...#(PX5:

3DEC44F4B11CF89AE3F40924FDD9040074440C6D - MD5: 0010E6CBB04DC0215A7A8BE410FF5292)...
Deleting File> c:\documents and settings\<MyName>\desktop\wsusoffline742\wsusoffline\client\updateinstaller.exe

Automated Cleanup Engine
Starting Cleanup at 17/09/2012 - 19:56:45 GMT

Starting Routine> Removing c:\documents and settings\<MyName>\desktop\wsusoffline742\wsusoffline\updategenerator.exe...#(PX5:

3DEC44F4D71CF89A28F40A24FDD90400844DF673 - MD5: A86E772A10990CFB63FD09036B6A5F4C)...
Deleting File> c:\documents and settings\<MyName>\desktop\wsusoffline742\wsusoffline\updategenerator.exe


I had them scanned at Virus Total and determined that they were safe, so I removed them from quarantine.

Now, I have noticed that they have been allowed under Quarantine > Detection Configuration, automatically.



I had removed the whole download package from my desktop to another another location as can be seen from the following screenshot.









However, I would not necessarily want WSA to now allow, automatically.

P.S. If I hadn't gone exploring, I would have been none the wiser.

 

If you remove something from quarantine, it sets it to an override of "Allow" otherwise, unless it's whitelisted in the cloud system, it will be re-detected. The allow is by file hash, not by file name/location, it just shows the last-known location of that hash. Or first known, I forget. You can right-Click on the entry to Do Things.

Also, if you're not sure about something, VT is not always the best place to check if WSA flagged it, unless you are absolutely 100% sure it's safe. I've seen stuff that WSA flagged that VT said was clean and was originally scanned several months ago. Rescan and still clean. But inspect the file more deeply just out of curiosity and sure enough, it was bad juju. So WSA caught something that nothing else on VT caught for over a month. Never found out if anything else on VT ever caught it. Lack of threat evidence is not evidence of lack of threat. I'm giving that as a general statement, mind you, not on those files specifically, which I make no warranty as to the status of.

 

Where did they all go?

 

@ Techfox1976

Thanks for chipping in with that info.

I was hoping Joe, would have added something in reply...He has been in and out, in the forum.

 

I just checked again, and they are back!

 

He's probably super-extra-ultra-OMFG busy as all heck since they are probably releasing the new stuff so soon.

 

Techfox is correct - it depends on the file, but it will usually be the last seen instance of it which is listed in the detection configuration window. Restoring a file from quarantine adds it as 'Allow', otherwise it would just be removed automatically instantly.

 

The only files I have restored from quarantine are the two mentioned above, and an old archive rootkit file, apispy9x.dll which I know about but will never use.

The others on that list such as Vipre, Defensewall, Opera and $isr have never been restored (by me) from quarantine. So, can see no reason for them appearing there.

 

As you do allot of Beta testing of many products you must have allowed them at one point because they were not known to the cloud database at the time!

TH

 

Aye. I would surmise that going to the Control Active Processes and changing something from Monitor to Allow would also make it show up there. It would be silly for it to be set to "allow" in control and "block" in overrides.