GetQuarantine

Article summary

Did you find this summary helpful?

Thank you for your feedback

Available in VPC

Get suspected webshell files quarantined by the user.

Request

The following describes the request format for the endpoint. The request format is as follows:

Method	URI
GET	/quarantines

Request headers

For headers common to all Webshell Behavior Detector APIs, see Common Webshell Behavior Detector headers.

Request query parameters

The following describes the parameters.

Field	Type	Required	Description
`pageIndex`	Integer	Required	Page number
`pageSize`	Integer	Required	Number of page outputs

Request example

The following is a sample request.

curl --location --request GET 'https://wbd.apigw.ntruss.com/api/v1/quarantines?pageIndex=0&pageSize=2' \
--header 'x-ncp-apigw-timestamp: {Timestamp}' \
--header 'x-ncp-iam-access-key: {Access Key}' \
--header 'x-ncp-apigw-signature-v2: {API Gateway Signature}' \
--header 'Content-Type: application/json' \
--header 'X-NCP-USE_PLATFORM_TYPE: VPC'

Response

The following describes the response format.

Response body

The following describes the response body.

Field	Type	Required	Description
`success`	Boolean	-	Request handling status
`code`	Integer	-	Response code
`message`	String	-	Response message
`result`	Array	-	List of suspicious files

`result`

The following describes result.

Field	Type	Required	Description
`suspicionFileId`	String	-	File ID
`detectionId`	String	-	Web shell behavior detection history ID
`hostName`	String	-	VM's host name
`osType`	String	-	VM's OS type
`fileOriginName`	String	-	File name
`quarantineFileName`	String	-	Name of the isolated file
`fileSize`	Integer	-	File size
`sha1`	String	-	File's SHA1 hash value
`privateIPofServer`	String	-	VM's private IP
`fileAuthority`	String	-	File's authority
`fileOwner`	String	-	File owner
`fileGroup`	String	-	File owner group
`accessTime`	Integer	-	File access date and time (timestamp)
`modifyTime`	Integer	-	File change date and time (timestamp)
`changeTime`	Integer	-	File modification date and time (timestamp)
`instanceNo`	String	-	VM's instance number
`hashScanResult`	String	-	Hash-based malware determination result `malware` \| `notMalware` `malware`: malicious `notMalware`: normal
`memo`	String	-	Notes
`memberNo`	Integer	-	Member ID for VM usage
`restoreTime`	Integer	-	File recovery date and time (timestamp)
`quarantineTime`	Integer	-	File quarantine date and time (timestamp)
`weight`	Integer	-	Score The higher the score, the more likely it is a webshell
`commandStatus`	String	-	Quarantine/recovery command handling status `restoring` \| `restored` \| `restoreFailed` \| `onQurantine` \| `quarantined` \| `quarantineFailed` `restoring`: recovering `restored`: recovery completed `restoreFailed`: recovery failed `onQurantine`: quarantine in progress `quarantined`: quarantine completed `quarantineFailed`: quarantine failed
`commandResult`	String	-	Detailed messages about the results of the quarantine/recovery command
`isRestore`	Boolean	-	Recovery status `true` \| `false` `true`: recovered `false`: not recovered
`isQuarantine`	Boolean	-	Quarantine status `true` \| `false` `true`: quarantined `false`: not quarantined
`isExcepted`	Boolean	-	Exception handling status `true` \| `false` `true`: exception handled `false`: exception not handled
`lastUpdatedTime`	Integer	-	Last detection history record date and time (timestamp)
`resultCode`	Integer	-	Quarantine/recovery command results code
`platform`	String	-	VM environment `VPC` \| `CLASSIC`
`serverName`	String	-	VM's server name
`containerName`	String	-	VM's container name
`k8sName`	String	-	Workload name Display valid values in Kubernetes environments
`k8sType`	String	-	Workload type for deployed pod Display valid values in Kubernetes environments
`podName`	String	-	Deployed pod name Display valid values in Kubernetes environments
`isDeleted`	Boolean	-	Deletion status of file `true` \| `false` `true`: deleted `false`: not deleted

Response status codes

For response status codes common to all Webshell Behavior Detector APIs, see Common Webshell Behavior Detector response status codes.

Response example

The following is a sample example.

{
    "success": true,
    "code": 0,
    "message": "success",
    "result": {
        "content": [
            {
                "suspicionFileId": "2024072409172700000036",
                "detectionId": "2024072409172700000036",
                "hostName": null,
                "osType": "WINDOWS",
                "fileOriginName": "{web-root-path}/{suspicious-object-name}",
                "quarantineFileName": "{web-root-path}/{quarantined-object-name}",
                "fileSize": 98,
                "sha1": "*******************************",
                "privateIPofServer": "***.***.***.***",
                "fileAuthority": "[{\"BUILTIN/Administrators\":\"(I)(F)\"},{\"BUILTIN/IIS_IUSRS\":\"(I)(RX)\"},{\"BUILTIN/Users\":\"(I)(RX)\"},{\"NT AUTHORITY/SYSTEM\":\"(I)(F)\"},{\"NT SERVICE/TrustedInstaller\":\"(I)(F)\"}]",
                "fileOwner": "S-1-5-32-544",
                "fileGroup": "S-1-5-32-544",
                "accessTime": 1721742837000,
                "modifyTime": 1721742837000,
                "changeTime": 1721742803000,
                "instanceNo": "23****68",
                "hashScanResult": "notMalware",
                "memo": null,
                "memberNo": 26***90,
                "restoreTime": 1722999457076,
                "quarantineTime": 1722999351039,
                "weight": 29,
                "commandStatus": "restored",
                "commandResult": "OK",
                "isRestore": true,
                "isQuarantine": true,
                "isExcepted": false,
                "lastUpdatedTime": 1722999457125,
                "resultCode": 0,
                "platform": "VPC",
                "serverName": "{servername}",
                "containerName": null,
                "k8sName": null,
                "k8sType": null,
                "podName": null,
                "isDeleted": false
            },
            {
                "suspicionFileId": "2024072323595800000443",
                "detectionId": "2024072323595700000436",
                "hostName": null,
                "osType": "WINDOWS",
                "fileOriginName": "{web-root-path}/{suspicious-object-name}",
                "quarantineFileName": "{web-root-path}/{quarantined-object-name}",
                "fileSize": 306,
                "sha1": "*******************************",
                "privateIPofServer": "***.***.***.***",
                "fileAuthority": "[{\"BUILTIN/Administrators\":\"(I)(F)\"},{\"BUILTIN/IIS_IUSRS\":\"(I)(RX)\"},{\"BUILTIN/Users\":\"(I)(RX)\"},{\"NT AUTHORITY/SYSTEM\":\"(I)(F)\"},{\"NT SERVICE/TrustedInstaller\":\"(I)(F)\"}]",
                "fileOwner": "S-1-5-32-544",
                "fileGroup": "S-1-5-32-544",
                "accessTime": 1721742550000,
                "modifyTime": 1721742550000,
                "changeTime": 1721742542000,
                "instanceNo": "25****97",
                "hashScanResult": "notMalware",
                "memo": null,
                "memberNo": 26***90,
                "restoreTime": 1722994883598,
                "quarantineTime": 1722994682859,
                "weight": 29,
                "commandStatus": "restored",
                "commandResult": "OK",
                "isRestore": true,
                "isQuarantine": true,
                "isExcepted": false,
                "lastUpdatedTime": 1722994883631,
                "resultCode": 0,
                "platform": "VPC",
                "serverName": "{servername}",
                "containerName": null,
                "k8sName": null,
                "k8sType": null,
                "podName": null,
                "isDeleted": false
            }
        ],
        "totalCount": 29,
        "pageSize": 2,
        "pageIndex": 0,
        "totalPages": 15
    }
}

Was this article helpful?

What's Next

RecoverQuarantine

Table of contents

Request
Response