View and restore identified malware

An identified file is a file that has been found to be or to contain malware and has therefore been encrypted and moved to a special folder on the protected computer. Whether or not an infected file can be viewed and restored depends on the Anti-Malware configuration, and the operating system on which the file was found:

• On Windows agents, you can view and restore cleaned, deleted, or quarantined files.
• On Linux agents, you can view and restore only quarantined files.

For information about events that are generated when malware is encountered, see Anti-Malware events.

See a list of identified files

The Events and Reports page provides a list of identified files. From there you can see the details for any of those files:

1. Click Events & Reports > Events > Anti-Malware Events > Identified Files.
2. To see the details of a file, select the file and click View.

The list of identified files includes the following columns of information:

• Infected File: Shows the name of the infected file and the specific security risk.
• Malware: Names the malware infection.
• Computer: Indicates the name of the computer with the suspected infection.

The Details window provides the following information:

• Detection Time: The date and time on the infected computer that the infection was detected.
• Infected File(s): The name of the infected file.
• File SHA-1: The SHA-1 hash of the file.
• Malware: The name of the malware that was found.
• Scan Type: Indicates whether the malware was detected by a Real-time, Scheduled, or Manual scan.
• Action Taken: The result of the action taken by Workload Security when the malware was detected.
• Computer: The computer on which this file was found. If the computer has been removed, this entry reads "Unknown Computer".
• Container Name: Name of the Docker container where the malware was found.
• Container ID: ID of the Docker container where the malware was found.
• Container Image Name: Image name of the Docker container where the malware was found.

Working with identified files

The Identified Files page allows you to manage tasks related to identified files. Using the menu bar or the right-click context menu, you can:

• Restore identified files back to their original location and condition.
• Download identified files from the computer or Virtual Appliance to a location of your choice.
• Delete one or more identified files from the computer or Virtual Appliance.
• Export information about the identified files (not the file itself) to a CSV file.
• View the details of an identified file.
• Computer Details displays the screen of the computer on which the malware was detected.
• View Anti-Malware Event displays the Anti-Malware event associated with this identified file.
• Add or Remove Columns by clicking Add/Remove.
• Search for a particular identified file.

Search for an identified file

• Use Period to see only the files that were identified within a specific time frame.
• Use Computers to organize files by Computer Groups or Computer Policies.
• Click Search this page > Open Advanced Search to toggle the display of the advanced search options:

Advanced searches include one or more search criteria for filtering identified files. Each criterion is a logical statement comprised of the following items:

• The characteristic of the identified file to filter on, such as the type of file (infected file or malware) or the computer that was affected.
• An operator:
  • Contains: The entry in the selected column contains the search string.
  • Does Not Contain: The entry in the selected column does not contain the search string.
  • Equals: The entry in the selected column exactly matches the search string.
  • Does Not Equal: The entry in the selected column does not exactly match the search string.
  • In: The entry in the selected column exactly matches one of the comma-separated search string entries.
  • Not In: The entry in the selected column does not exactly match any of the comma-separated search string entries.
• A value.

To add a criterion, click the plus sign to the right of the topmost criterion. To search, click the search icon.

Note that searches are not case-sensitive.

Restore identified files

Create a scan exclusion for the file

Before you can restore a file to its original location, you have to create a scan exclusion so that Workload Security does not immediately reidentify the file when it reappears on the computer.

The following instructions describe how to create an exclusion for the file on an individual computer, but you can make the same configuration changes at the policy level.

1. Open the Computers page and go to Anti-Malware > Identified Files and double-click the identified file to view its properties.
2. Note the file's exact name and original location.
3. Still in the Computers page, go to Anti-Malware > General and click Edit next to each Malware Scan that's in effect to open the Malware Scan Configuration properties.
4. In the Malware Scan Configuration properties, select Exclusions.
5. In the Scan Exclusions area, select File List and then either press edit if a file list is already selected, or select New from the menu to create a new File List.
6. In the File List properties window, enter the file path and name of the file to be restored. Click OK to close the File List properties.
   
7. Close the Malware Scan Configuration properties window by clicking OK.
8. When you have edited all the Malware Scan Configurations, click Save in the Computers page to save your changes.

You are now ready to restore your file.

Restore the file

1. Still in the Computers page, go to the Anti-Malware > Identified Files tab.
2. Right-click the identified file and select Actions > Restore, then follow the steps in the wizard.

Your file is restored to its original location.