Quarantine Files
The quarantine remediation option moves malicious files to a different location to prevent them from causing more harm to your environment.
In this topic:
Quarantine a file
You can quarantine a file automatically or manually.
Automatically quarantine
To automatically quarantine files, use the Anti-Malware section of a sensor policy.
In the sensor policy, in the Anti-Malware screen, in the Signatures mode section, select Quarantine. When Anti-Malware detects malware using signature-based analysis, the Cybereason platform automatically quarantines the offending file.
Manually quarantine from the Malop details screen
To quarantine a file from the Malop details screen:
Manually quarantine from the Malops management screen
To quarantine a file from the Malops management screen:
Quarantined file locations
When you quarantine a file, the Cybereason platform places the file in the following folder location:
Windows: C:\ProgramData\apv2\Quarantine
Mac: /usr/local/cybereason/Quarantine
Linux: /opt/cybereason/sensor/Quarantine
The Cybereason platform deletes quarantined files after 30 days. The cleanup is scheduled to run daily (every 24 hours) and on sensor startup.
Search for quarantined files
You can use the Quarantine File Element in the Investigation screen to search for currently quarantined files. If you identify a file that you want to unquarantine, click the Element from the results grid to display the Element details pane. From there, you can download the file or access the MalOp associated with the file.
Download a quarantined file
You can download a quarantined file without first removing the file from quarantine.
To download a currently quarantined file, search for the quarantined file, open the Element details pane, and select Download file.
During this action, the quarantined file remains encrypted in the quarantined folder and no changes are made to the file itself.
Remove a file from quarantine
You can unquarantine a file that was quarantined within the last 30 days. When you unquarantine a file, the Cybereason platform places the file back in its location at the time of quarantine. If the original folder does not exist, the Cybereason platform moves up the folder hierarchy until it find an existing folder.
You unquarantine a file when responding to MalOps from the Malop details or Malops management screen.
You also have the option to add the file to the allowlist. This ensures that the unquarantined file will not trigger a MalOp in the future.
Unquarantine from the MalOp details screen
To unquarantine a file from the Malop details screen, follow these steps:
In a specific MalOps Malop Details screen, click Respond and select Unquarantine.
In the Respond window, select the Unquarantine check box for the file(s) you want to remove from quarantine.
(Optional) To add the unquarantined file to the allowlist, select the Unquarantine the file and add it to the allowlist. checkbox.
Click Apply response
Unquarantine from the Malops management screen
To unquarantine a file from the Malops management screen, follow these steps:
Select the check box next to the MalOp or MalOps whose associated file or files you want to remove from quarantine.
Click Respond.
Select Malop is malicious - Remediate.
In the Respond window, select the Unquarantine check box for the file(s) you want to remove from quarantine.
(Optional) To add the unquarantined file to the allowlist, select the Unquarantine the file and add it to the allowlist. checkbox.
Click Apply response