Manage Quarantined Files
You can review and manage all files that have been quarantined
by the Cortex XDR agent due to a security incident.
When
the
Cortex
XDR agent detects malware on a
Windows endpoint, you can take additional precautions to quarantine
the file. When the Cortex
XDR agent quarantines
malware, it moves the file from the location on a local or removable
drive to a local quarantine folder (%PROGRAMDATA%\Cyvera\Quarantine
)
where it isolates the file. This prevents the file from attempting
to run again from the same path or causing any harm to your endpoints.To
evaluate whether an executable file is considered malicious, the
Cortex
XDR agent calculates a verdict using information
from the following sources in order of priority:- Hash exception policy
- WildFire threat intelligence
- Local analysis
Quarantining a file in
Cortex
XDR
can be done in one of two ways:- Enable theCortexXDR agent to automatically quarantine malicious executables by configuring quarantine settings in the Malware security profile.
- Right-click a specific file from the causality card and selectQuarantine.
- View the quarantined files in your network.Navigate to. Toggle betweenIncident ResponseResponseAction CenterFile QuarantineDETAILEDandAGGREGATED BY SHA256views to display information on your quarantined files.
- Review details about quarantined files.In theDetailedview, filter and review theEndpoint Name,Domain,File Path,Quarantine Source, andQuarantine Dateof the all the quarantined files.
- Right-click one or more rows and selectRestore all files by SHA256to reinstate the selected files.This will restore all files with the same hash on all of your endpoints.
- In theHashfield, right-click to:
- Open in VirusTotal—Review the quarantined file inspection results on VirusTotal. You will be redirected in a new browser tab to the VirusTotal site and view all analysis details on the selected quarantined file.
- Open Hash View—Drill down on each of the process executions, file operations, incidents, actions, and threat intelligence reports relating to the hash.
- Open in Quick Launcher—Search for where the hash value appears inCortexXDR.
- Export to filea detailed list of the quarantined hashes in a TSV format.
In theAggregated by SHA256view, filter and review theHash,File Name,File Path, andScopeof all the quarantined files.- Right-click a row and selectAdditional Datato open theQuarantine Detailspage detailing theEndpoint Name,Domain,File Path,Quarantine Source, andQuarantine Dateof a specific file hash.
- Right-click and selectRestoreto reinstate one or more of the selected file hashes.
- Right-click and selectDelete all files by SHA256to permanently delete quarantined files on the endpoint.
- In theHashfield, right-click to:
- Open in VirusTotal—Review the quarantined file inspection results on VirusTotal. You will be redirected in a new browser tab to the VirusTotal site and view all analysis details on the selected quarantined file.
- Open Hash View—Drill down on each of the process executions, file operations, incidents, actions, and threat intelligence reports relating to the hash.
- Open in Quick Launcher—Search for where the hash value appears inCortexXDR.
Recommended For You
Recommended Videos
Recommended videos not found.
