Restore a Quarantined File Using Cytool
Table of Contents
4.2 (EoS)
Expand all | Collapse all
-
- Set Up the Endpoint Infrastructure
- Activate Traps Licenses
-
- Endpoint Infrastructure Installation Considerations
- TLS/SSL Encryption for Traps Components
- Configure the MS-SQL Server Database
- Install the Endpoint Security Manager Server Software
- Install the Endpoint Security Manager Console Software
- Manage Proxy Communication with the Endpoint Security Manager
- Load Balance Traffic to ESM Servers
-
- Malware Protection Policy Best Practices
- Malware Protection Flow
- Manage Trusted Signers
-
- Remove an Endpoint from the Health Page
- Install an End-of-Life Traps Agent Version
-
-
- Traps Troubleshooting Resources
- Traps and Endpoint Security Manager Processes
- ESM Tech Support File
-
- Access Cytool
- View the Status of the Agent Using Cytool
- View Processes Currently Protected by Traps Using Cytool
- Manage Logging of Traps Components Using Cytool
- Restore a Quarantined File Using Cytool
- View Statistics for a Protected Process Using Cytool
- View Details About the Traps Local Analysis Module Using Cy...
- View Hash Details About a File Using Cytool
Restore a Quarantined File Using Cytool
If a quarantined file turns out not to be
malware, you can restore it using the ESM Console or by using Cytool
from a Windows endpoint.
Use the cytool quarantine
list command to view details about all quarantined files
on the endpoint. Or, to restore a file to its original location
use the cytool quarantine restore <guid> command.
To restore a file to a new location, use the cytool quarantine
restore <guid> <filepath> command.
To view
and restore quarantined details, you must enter the supervisor (uninstall)
password when prompted.
Using Cytool, you can restore
a file to any non-network writable file system including NTFS, ExFAT,
FAT32, FAT16, ReFS.
- Open a command prompt as an administrator and navigate to the Traps folder (see Access Cytool).
- To view all files that Traps has quarantined on the endpoint,
use the following command:
C:\Program Files\Palo Alto Networks\Traps> cytool quarantine listThe following example displays output for using cytool to query for all quarantined files.c:\Program Files\Palo Alto Networks\Traps>cytool quarantine list Enter supervisor password: Guid State Date/Time Path c92e84c0-1770-40d5-b5b8-544d02381ea6 Quarantined Thursday, August 18, 2016, 14:40:21 PM C:\Malware\malware1.exe - To restore a quarantined file, use the following command:
C:\Program Files\Palo Alto Networks\Traps> cytool quarantine restore <guid> <filepath>where <guid> is the unique identifier of the file. If you want to restore the executable file to its original location leave the <filepath> blank. Otherwise, enter the location—including the filename—to which you want to restore the executable fileThe following example displays output for using cytool to restore the malware1.exe file to an alternate location.C:\Program Files\Palo Alto Networks\Traps> cytool quarantine restore c92e84c0-1770-40d5-b5b8-544d02381ea6 C:\myfolder\not-malware.exe Enter supervisor password: Restored prevention c92e84c0-1770-40d5-b5b8-544d02381ea6 to C:\myfolder\not-malware.exe