To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

How can i delete some files based on their extensions ?

ArnaudB
ArnaudB Posts: 4 Junior Protector
in Elements Endpoint Detection and Response (EDR)

Hello,

I'm currently testing Withsecure EDR with ransomware. The solution works well (my files are not altered), but the ransomware leaves an encrypted duplicate next to my file (files .psr, as shown in the screenshot below).

2024-12-26_14h19_19.png

I attempted to find a way to properly remove all the .psr files using the "Remediation" > "Delete files" option, but no actions seem to work. I tried various paths, including absolute paths to individual files, but none of them appear to be successful. Each attempt results in a failure (see screenshot below).

2024-12-26_14h26_49.png

Do you have any idea where the problem could be coming from? And do you know where I can find the log of this failed action?

Thank you by advance for your answer 😁

Tagged:

Best Answer

  • ArnaudB
    ArnaudB Posts: 4 Junior Protector
    Solved

    Hello !

    The issue was found, I didn't activate the "Advanced remediation" option on my computer profile through the Withsecure ESC (Profiles > Check your computer profile > General parameters > Integration > Advanced remediation).

    Be careful, the "delete files " option allows you to delete one file or folder at a time (we cannot use a wildcard such as "*.psr" i my case).

    Thank you to the Withsecure Support Team for helping me 😄

Answers

  • Sethu Laks
    Sethu Laks Staff, Moderator Posts: 298 W/ Moderator

    Hi @ArnaudB

    Thank you for reaching out to the WithSecure Community!

    Currently, I do not see any internal documentation explicitly mentioning support for the .psr file extension in our Endpoint Detection and Response (EDR) solution. However, EDR tools generally focus on monitoring and analyzing file activities based on behavior rather than specific file extensions. As such, the .psr extension itself should not inherently pose an issue for detection or remediation actions.

    If you're having difficulties deleting .psr files using the EDR's remediation features, please consider the following steps:

    • Verify File Accessibility: Ensure that the .psr files are not in use or locked by another process, as this could prevent deletion.
    • Check EDR Policies: Review your EDR policies to confirm that there are no restrictions or exclusions affecting files with the .psr extension.

    That said, I will check this with our backend team and provide an update here as soon as possible. Thank you for your patience!

  • Sethu Laks
    Sethu Laks Staff, Moderator Posts: 298 W/ Moderator

    Hi @ArnaudB

    An update has just come in from our backend team. To proceed with the investigation, we’ll need the WSDIAG logs from the host, as well as additional details from the "Delete Files" link in the detailed views. Once you have gathered this information, please reach out to WithSecure Support and provide the details for further investigation.

  • ArnaudB
    ArnaudB Posts: 4 Junior Protector

    Hi @Sethu Laks,

    No problem, I'll do it right away.

  • ArnaudB
    ArnaudB Posts: 4 Junior Protector

    On more message,

    To anyone who wish to delete many files with a specific extension (like in my case with .psr files)

    Powershell > Go to the infected folder > use "del" command (such as del *.psr && del */*.psr && del */*/*.psr && etc.)

Categories