Perform the following steps to extract a file quarantined by VSEL from the system for submission to McAfee Labs:
- Check the name of the quarantined file (which is automatically renamed by VSEL), the time stamp of detection, and the original file name and path.
Here is an example:
# /opt/NAI/LinuxShield/bin/nails quarantine -l -v
/quarantine/Q265289728.1449455.594742.000.meta: Sat Oct 29 13:31:06 2016 UTC Owner 0 Group 0 Mode 0644 /root/sample
In this example:
- Name of quarantined file is /quarantine/Q265289728.1449455.594742.000.meta
- Time stamp of detection is Sat Oct 29 13:31:06 2016 UTC
- Original file name and path is /root/sample
- Add an exclusion for the original file that was quarantined and the new .zip file to be created.
In the previous example, adding root/sample.* to the exclusion list is sufficient. For instructions to add an exclusion, refer to the "Exclude paths from scanning" section in the VirusScan Enterprise for Linux 2.0 Product Guide (PD25001).
- Confirm the exclusion is reflected on system. The passed exclusion value is saved in the nailsd.cfg file locally and you can check it using the grep command.
Output using the previous example:
# grep sample /var/opt/NAI/LinuxShield/etc/nailsd.cfg
nailsd.profile.OAS.filter.ePOexclusion_5.path: /root/sample.*
- Restore the quarantined file to the original path using the following command:
/opt/NAI/LinuxShield/bin/nails quarantine -r <meta-file>
Output using the previous example:
# /opt/NAI/LinuxShield/bin/nails/quarantine -r /quarantine/Q265289728.1449455.594742.000.meta
/root/sample: recovered from quarantine/Q265289728.1449455.594742.000.meta
/root/sample: access permission set to 0644
/root/sample: owner set to 0, group set to 0
/root/sample: Warning - accessing this file may cause it to be quarantined again.
- Create the necessary .zip file with the password infected for submission. The password must always be infected.
Output using the previous example:
# cd /root/
# zip -e sample.zip sample
Enter password:
Verify password:
Updating: sample (stored 0%)
- Submit the .zip file to McAfee Labs using the process described in KB68030.
- Delete the original file and .zip file, and then remove the exclusion.
NOTE: If the submission is for a false positive, perform these cleanup steps after the DAT has the updated signature. If the submission is for a false negative, you can perform these cleanup steps immediately because the existing DATs will not detect it.
