EAV 4.2 BE: how to find the original date/time stamp of a quarantined file?

Discussion in 'ESET NOD32 Antivirus' started by Reedmikel, Jan 26, 2012.

Thread Status:
Not open for further replies.
  1. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    Is there any way to find out the "Last Modified" date and time info for a file that has been quarantined by NOD32? This is invaluable information, as it tells us when the malicious file was written to disk. Plus, we would like to check user's browser history to see what web site may have infected them. We have special tools that allow us to view IE and Firefox browser history logs...
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    This information is not available as the original malicious file is removed and a new one is created in an encrypted form in quarantine. Since malware often modifies the timestamp to hide in the system and making finding it out more difficult, I, for one, don't see any practical use of storing timestamps.
     
  3. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    Real world experience for us has been quite different Marcos. We frequently are able to associate the time stamp of a malicious file with a user's browser history - and then determine what web site caused the infection. We then BLOCK that site so that other users do not get infected. So I strongly encourage you to rethink this feature request...
     
  4. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    Marcos, also keep in mind that the date/time stamp would be just ONE MORE piece of forensic evidence that your software could provide to those of us that have to protect hundreds or thousands of machines. I am sure you see the wisdom in being able to determine what web site infected a machine by comparing the malicious file's creation time versus the user's browser history, then quickly blocking the infected website so that our entire MSP client base is immediately protected against this strain of malware. That is being HUGELY PROACTIVE. Even if this date/time info only helped us in 10% of malware issues, that is significant!

    Hey you other MSPs - how about letting ESET know you also would like this feature added...
     
  5. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    Marcos - does this web site have any way to vote on feature requests? Or do users have to subscribe to this thread and post their remarks? A voting system would be extremely helpful for ESET in determining what the most requested features are...
     
Thread Status:
Not open for further replies.