Manage Quarantined Files
Learn how to work with quarantined files.
SaaS Security web interface displays assets
that were automatically quarantined by
a policy rule or manually quarantined by
an administrator. Depending on the cloud app and your admin role permissions,
you can take actions on the quarantined file.
Specific
cloud apps support all quarantine features while
others do not.
Filter Quarantined Files
When you view assets, you invariably need
to filter the list and narrow the results to meet your audit needs.
- Select to view a list of assets that have been quarantined.
- Use the search facets provided.
- Date—Time frame when the quarantine successfully occurred. For example: past week, past month, past year. You can also set a specific date or set a custom date range.PendingandFailedquarantines do not have timestamps; therefore, when sorted by date, failed quarantines displays at the bottom of the sort results.
- Cloud App—List of applications for which the quarantine occurred. For example, Box.
- Rule—Policy rule that caused the asset to be quarantined.
- Search—Tool to find an item using part of the filename, part of the asset owner’s name or email address, or part of a report name.
- Status—Tool to provide status on the asset throughout the quarantine process.
- (Optional) Export this data to a CSV file to review the quarantined assets offline.
Take Action on Quarantined Files
Depending on the cloud app and your admin role permissions,
you can restore, delete, or download a quarantined file. These actions
display for the quarantined asset, not the tombstone.
- Select to view a list of assets that have been quarantined.
- Initiate actions on the file.
- Download—Immediately compresses the file (.zip), downloads the file to your local drive, then displays a decrypt password. Use the password to open and inspect the file.
- Restore—Moves (returns) the asset to the owner’s original location.
- Delete—Permanently deletes the asset. You cannot restore after deletion, and you will not be prompted to confirm your choice. Download the file to inspect the file before you delete it. When successful, returns aThe File is Queued for Deletionmessage.
Verify Quarantine Permissions
To manage a quarantined asset, an administrator
must have a role with the required quarantine permissions. You can
assign the administrator a predefined role with
quarantine permissions; there are a few roles that provide the permissions
to all quarantine actions (for example,
Incident Management Admin
).
However, if your organization set up custom roles, verify that the
quarantine permissions are assigned to the intended role or assign
a different role to the administrator.- Select .
- Click on the role assigned to the administrator.
- Observe the permissions listed for this role.
View Quarantine Status
When an administrator quarantines an asset,
SaaS Security web interface displays the status of that asset throughout
the quarantine process. For data protection purposes, if there’s
a quarantine failure, resolve the issue immediately.
To provide
the high user experience to which you’ve become accustomed, SaaS
Security web interface informs you when your cloud app quarantines
an asset.
- Select .
- (Optional) Filter by status.
- Move your cursor overStatusfor the asset to display a summary explanation.
- Success—Asset is quarantined.
- Pending—Asset is not yet in quarantine and is in progress until quarantine successfully completes or fails.
- Failed—Asset could not be quarantined.
Due to the underlying differences between cloud apps, some cloud apps require detailed explanations and resolutions.
Files Unavailable To SaaS Security API
When a file on your cloud app is unavailable to SaaS Security
API, a message displays in the SaaS Security web interface for
Malware
Status
: File Unavailable:This file is no longer accessible on the Cloud App
.If your cloud app (for example, Office
365) quarantines a file, for example, that file becomes unavailable
to third parties, including SaaS Security API; as a result, SaaS
Security API is unable to perform
some
remediation (for example, Restore
)
and assessment actions (for example, View Snippets
). SaaS Security API needs the file to be available—from discovery
to remediation. When SaaS Security API discovers a file, it immediately
adds the file’s metadata to the
Assets
page.
Within a short period of time, SaaS Security API begins to copy
the file’s contents. Afterward, SaaS Security API:- Downloads a copy of the file and sends it to WildFire for analysis, verdict, and incident creation if malware is detected.
- Performs DLP analysis and pattern matching.
- Manually or automatically quarantines the file based on policies, creating a tombstone.
For optimal performance, the initial copy of your file resides
on SaaS Security API for a specific period of time: the copy isn’t
permanent. After the file expiration period, SaaS Security API downloads
a new copy from your cloud app as necessary to make it available
for assessment and remediation. Throughout this process, the file
needs to be available and unrestricted; when it isn’t, you must
perform some remediation actions and assessment from the cloud app
directly.
Customize Tombstone Messages
When you quarantine an
asset, SaaS Security API creates a tombstone that
contains a simple
Quarantine Message
to explain
that the asset is quarantined. You can customize this quarantine
message.
- Select .
- Change the message to meet your needs.
