Manage Quarantined Files

Learn how to work with quarantined files.
SaaS Security web interface displays assets that were automatically quarantined by a policy rule or manually quarantined by an administrator. Depending on the cloud app and your admin role permissions, you can take actions on the quarantined file.
Specific cloud apps support all quarantine features while others do not.

Filter Quarantined Files

When you view assets, you invariably need to filter the list and narrow the results to meet your audit needs.
  1. Select
    to view a list of assets that have been quarantined.
  2. Use the search facets provided.
    • Date
      —Time frame when the quarantine successfully occurred. For example: past week, past month, past year. You can also set a specific date or set a custom date range.
      quarantines do not have timestamps; therefore, when sorted by date, failed quarantines displays at the bottom of the sort results.
    • Cloud App
      —List of applications for which the quarantine occurred. For example, Box.
    • Rule
      —Policy rule that caused the asset to be quarantined.
    • Search
      —Tool to find an item using part of the filename, part of the asset owner’s name or email address, or part of a report name.
    • Status
      —Tool to provide status on the asset throughout the quarantine process.
  3. (
    ) Export this data to a CSV file to review the quarantined assets offline.

Take Action on Quarantined Files

Depending on the cloud app and your admin role permissions, you can restore, delete, or download a quarantined file. These actions display for the quarantined asset, not the tombstone.
  1. Select
    to view a list of assets that have been quarantined.
  2. Initiate actions on the file.
    • Download
      —Immediately compresses the file (
      ), downloads the file to your local drive, then displays a decrypt password. Use the password to open and inspect the file.
    • Restore
      —Moves (returns) the asset to the owner’s original location.
    • Delete
      —Permanently deletes the asset. You cannot restore after deletion, and you will not be prompted to confirm your choice. Download the file to inspect the file before you delete it. When successful, returns a
      The File is Queued for Deletion

Verify Quarantine Permissions

To manage a quarantined asset, an administrator must have a role with the required quarantine permissions. You can assign the administrator a predefined role with quarantine permissions; there are a few roles that provide the permissions to all quarantine actions (for example,
Incident Management Admin
). However, if your organization set up custom roles, verify that the quarantine permissions are assigned to the intended role or assign a different role to the administrator.
  1. Select
  2. Click on the role assigned to the administrator.
  3. Observe the permissions listed for this role.

View Quarantine Status

When an administrator quarantines an asset, SaaS Security web interface displays the status of that asset throughout the quarantine process. For data protection purposes, if there’s a quarantine failure, resolve the issue immediately.
To provide the high user experience to which you’ve become accustomed, SaaS Security web interface informs you when your cloud app quarantines an asset.
  1. Select
  2. (
    ) Filter by status.
  3. Move your cursor over
    for the asset to display a summary explanation.
    • Success
      —Asset is quarantined.
    • Pending
      —Asset is not yet in quarantine and is in progress until quarantine successfully completes or fails.
    • Failed
      —Asset could not be quarantined.
    Due to the underlying differences between cloud apps, some cloud apps require detailed explanations and resolutions.

Files Unavailable To SaaS Security API

When a file on your cloud app is unavailable to SaaS Security API, a message displays in the SaaS Security web interface for
Malware Status
: File Unavailable:
This file is no longer accessible on the Cloud App
If your cloud app (for example, Office 365) quarantines a file, for example, that file becomes unavailable to third parties, including SaaS Security API; as a result, SaaS Security API is unable to perform
remediation (for example,
) and assessment actions (for example,
View Snippets
SaaS Security API needs the file to be available—from discovery to remediation. When SaaS Security API discovers a file, it immediately adds the file’s metadata to the
page. Within a short period of time, SaaS Security API begins to copy the file’s contents. Afterward, SaaS Security API:
  • Downloads a copy of the file and sends it to WildFire for analysis, verdict, and incident creation if malware is detected.
  • Performs DLP analysis and pattern matching.
  • Manually or automatically quarantines the file based on policies, creating a tombstone.
For optimal performance, the initial copy of your file resides on SaaS Security API for a specific period of time: the copy isn’t permanent. After the file expiration period, SaaS Security API downloads a new copy from your cloud app as necessary to make it available for assessment and remediation. Throughout this process, the file needs to be available and unrestricted; when it isn’t, you must perform some remediation actions and assessment from the cloud app directly.

Customize Tombstone Messages

When you quarantine an asset, SaaS Security API creates a tombstone that contains a simple
Quarantine Message
to explain that the asset is quarantined. You can customize this quarantine message.
  1. Select
    General Settings
    Tombstoned Files
  2. Change the message to meet your needs.

Recommended For You