Quarantine Files

The quarantine remediation option moves malicious files to a different location to prevent them from causing more harm to your environment.

Quarantine a file

You can quarantine a file automatically or manually.

Automatically quarantine

To automatically quarantine files, use the Anti-Malware section of a sensor policy.

In the sensor policy, in the Anti-Malware screen, in the Signatures mode section, select Quarantine. When Anti-Malware detects malware using signature-based analysis, the Cybereason platform automatically quarantines the offending file.

Quarantine a File

Manually quarantine from the Malop details screen

To quarantine a file from the Malop details screen:

  1. Click Respond from a specific MalOp’s Malops details screen, and select Quarantine.

    Quarantine a File

  2. In the Respond window, select the Quarantine check box for the file(s) you want to quarantine.

    Quarantine a File

  3. Click Apply response

Manually quarantine from the Malops management screen

To quarantine a file from the Malops management screen:

  1. Select the check box next to the MalOp or MalOps whose associated file or files you want to quarantine.

  2. Click Respond.

  3. Select Malop is malicious - Remediate.

  4. In the Respond window, select the Quarantine check box for the file(s) you want to quarantine.

    Quarantine a File

  5. Click Apply response

Quarantined file locations

When you quarantine a file, the Cybereason platform places the file in the following folder location:

  • Windows: C:\ProgramData\apv2\Quarantine

  • Mac: /usr/local/cybereason/Quarantine

  • Linux: /opt/cybereason/sensor/Quarantine

The Cybereason platform deletes quarantined files after 30 days. The cleanup is scheduled to run daily (every 24 hours) and on sensor startup.

Search for quarantined files

You can use the Quarantine File Element in the Investigation screen to search for currently quarantined files. If you identify a file that you want to unquarantine, click the Element from the results grid to display the Element details pane. From there, you can download the file or access the MalOp associated with the file.

Quarantine File Query

Beginning in version 23.2.148 and later, you can also view all quarantined files in the Quarantine files screen.

Note

This screen is disabled by default. Contact your Customer Success Manager to request access to this screen.

Quarantined Files screen

This screen displays the full list of the files, along with the details about these quarantined files. Select different columns to show a variety of information about quarantined files.

Select columns to view in the Quarantined Files screen

From this screen, you can search for a specific quarantined files by Original file name, Original file path, Original File SHA-1/MD5 file hash value, or Machine name.

Search options for the Quarantined Files screen

Likewise, you can filter the list of quarantined files to view files associated with a MalOp, files from online machines, and files that are from machines of different operating system types.

Filter options for the Quarantined Files screen

Download a quarantined file

You can download a quarantined file without first removing the file from quarantine.

To download a currently quarantined file, search for the quarantined file, open the Element details pane, and select Download file.

Download quarantined file

During this action, the quarantined file remains encrypted in the quarantined folder and no changes are made to the file itself.

Remove a file from quarantine

You can unquarantine a file that was quarantined within the last 30 days. When you unquarantine a file, the Cybereason platform places the file back in its location at the time of quarantine. If the original folder does not exist, the Cybereason platform moves up the folder hierarchy until it find an existing folder.

You unquarantine a file when responding to MalOps from the Malop details or Malops management screen.

You also have the option to add the file to the allowlist. This ensures that the unquarantined file will not trigger a MalOp in the future.

Unquarantine from the MalOp details screen

To unquarantine a file from the Malop details screen, follow these steps:

  1. In a specific MalOps Malop Details screen, click Respond and select Unquarantine.

    Unquarantine respond

  2. In the Respond window, select the Unquarantine check box for the file(s) you want to remove from quarantine.

  3. (Optional) To add the unquarantined file to the allowlist, select the Unquarantine the file and add it to the allowlist. checkbox.

    Unquarantine allowlist

  4. Click Apply response

Unquarantine from the Malops management screen

To unquarantine a file from the Malops management screen, follow these steps:

  1. Select the check box next to the MalOp or MalOps whose associated file or files you want to remove from quarantine.

  2. Click Respond.

  3. Select Malop is malicious - Remediate.

  4. In the Respond window, select the Unquarantine check box for the file(s) you want to remove from quarantine.

  5. (Optional) To add the unquarantined file to the allowlist, select the Unquarantine the file and add it to the allowlist. checkbox.

    Unquarantine Malops management

  6. Click Apply response.

Unquarantine a file from the Quarantine Files screen

Note

This screen is disabled by default. Contact your Customer Success Manager to request access to this screen.

In versions 23.2.148 and later, you can unquarantine files from the Quarantined Files screen. You can select one or more files to unquarantine, which enables you to more efficiently address these files instead of navigating into each individual MalOp to remove files from quarantine.

To unquarantine a file from the Quarantined Files screen, follow these steps:

  1. In the Quarantined Files screen, select the file or files to remove from quarantine.

    Note

    You can select up to 5000 files in a single unquarantine operation.

  2. Above the list of files, click Unquarantine.

The select files are removed from quarantine. The Quarantined Files screen displays the Unquarantined status for the unquarantined files. However, if you refresh the list, the Cybereason platform removes the selected files from the screen.

If you see the Failed to quarantine status for any files, you need to retry the unquarantine operation again later when the corresponding machine is online and connected to the Cybereason platform. You can only remove a file from quarantine if the machine is online.