You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Specifically Elastic Defend will remove the file from its current location, encrypt it with the encryption key ELASTIC
Can that please be say something like "Specifically Elastic Defend will remove the file from its current location, do a rolling XOR with the key ELASTIC"
Also the page says
You can access a quarantined file by using the get-file response action command in the response console. To do this, copy the path from the alert’s Quarantined file path field (file.Ext.quarantine_path), which appears under Highlighted fields in the alert details flyout. Then paste the value into the --path parameter. This action doesn’t restore the file to its original location, so you will need to do this manually.
Can we add a note to that to state that when get-file retrieves a file quarantined by Endpoint the ELASTIC XOR is automatically undone; the original malware file is retrieved.
Which documentation set(s) does this bug apply to?
ESS and serverless
Release version
I'm not sure when this documentation was added.
Testing environment
N/A
The text was updated successfully, but these errors were encountered:
Documentation links
https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html#manage-quarantined-files
Description
That page says
Can that please be say something like "Specifically Elastic Defend will remove the file from its current location, do a rolling XOR with the key ELASTIC"
Also the page says
Can we add a note to that to state that when
get-file
retrieves a file quarantined by Endpoint the ELASTIC XOR is automatically undone; the original malware file is retrieved.Which documentation set(s) does this bug apply to?
ESS and serverless
Release version
I'm not sure when this documentation was added.
Testing environment
N/A
The text was updated successfully, but these errors were encountered: