Manage Quarantined Files

When the Cortex XDR agent detects malware on a Windows endpoint, you can take additional precautions to quarantine the file. When the Cortex XDR agent quarantines malware, it moves the file from the location on a local or removable drive to a local quarantine folder (
%PROGRAMDATA%\Cyvera\Quarantine
) where it isolates the file. This prevents the file from attempting to run again from the same path or causing any harm to your endpoints.
To evaluate whether an executable file is considered malicious, the Cortex XDR agent calculates a verdict using information from the following sources in order of priority:
  • Hash exception policy
  • WildFire threat intelligence
  • Local analysis
Quarantining a file in Cortex XDR can be done in one of two ways:
  • You can enable the Cortex XDR agent to automatically quarantine malicious executables by configuring quarantine settings in the Malware security profile.
  • You can quarantine a specific file from the causality card.
causality-quarantine-file.png
  1. View the quarantined files in your network.
    Navigate to
    Response
    Action Center
    Quarantine
    . Toggle between
    DETAILED
    and
    AGGREGATED BY SHA256
    views to display information on your quarantined files.
    quarantine-views.png
  2. Review details about quarantined files.
    In the
    Detailed
    view, filter and review the
    Endpoint Name
    ,
    Domain
    ,
    File Path
    ,
    Quarantine Source
    , and
    Quarantine Date
    of the all the quarantined files.
    • Right-click one or more rows and select
      Restore all files by SHA256
      to reinstate the selected files.
      This will restore all files with the same hash on all of your endpoints.
    • In the
      Hash
      field, right-click to:
      • Open in VirusTotal
        —Review the quarantined file inspection results on VirusTotal. You will be redirected in a new browser tab to the VirusTotal site and view all analysis details on the selected quarantined file.
    • Export to file
      a detailed list of the quarantined hashes in a TSV format.
    In the
    Aggregated by SHA256
    view, filter and review the
    Hash
    ,
    File Name
    ,
    File Path
    , and
    Scope
    of all the quarantined files.
    • Right-click a row and select
      Additional Data
      to open the
      Quarantine Details
      page detailing the
      Endpoint Name
      ,
      Domain
      ,
      File Path
      ,
      Quarantine Source
      , and
      Quarantine Date
      of a specific file hash.
    • Right-click and select
      Restore
      to reinstate one or more of the selected file hashes.
    • In the
      Hash
      field, right-click to:
      • Open in VirusTotal
        —Review the quarantined file inspection results on VirusTotal. You will be redirected in a new browser tab to the VirusTotal site and view all analysis details on the selected quarantined file.

Recommended For You