Restore a Quarantined File Using Cytool

If a quarantined file turns out not to be malware, you can restore it using the ESM Console or by using Cytool from the endpoint.
Use the
cytool quarantine list
command to view details about all quarantined files on the endpoint. Or, to restore a file to its original location use the
cytool quarantine restore <guid>
command. To restore a file to a new location, use the
cytool quarantine restore <guid> <filepath>
command.
To view and restore quarantined details, you must enter the supervisor (uninstall) password when prompted.
Using Cytool, you can restore a file to any non-network writable file system including NTFS, ExFAT, FAT32, FAT16, ReFS.
  1. Open a command prompt as an administrator and navigate to the Traps folder (see Access Cytool).
  2. To view all files that Traps has quarantined on the endpoint, use the following command:
    C:\Program Files\Palo Alto Networks\Traps>
    cytool quarantine list
    The following example displays output for using cytool to query for all quarantined files.
    c:\Program Files\Palo Alto Networks\Traps>
    cytool quarantine list
    Enter supervisor password: Guid State Date/Time Path c92e84c0-1770-40d5-b5b8-544d02381ea6 Quarantined Thursday, August 18, 2016, 14:40:21 PM C:\Malware\malware1.exe
  3. To restore a quarantined file, use the following command:
    C:\Program Files\Palo Alto Networks\Traps>
    cytool quarantine restore <guid> <filepath>
    where
    <guid>
    is the unique identifier of the file. If you want to restore the executable file to its original location leave the
    <filepath>
    blank. Otherwise, enter the location—including the filename—to which you want to restore the executable file
    The following example displays output for using cytool to restore the malware1.exe file to an alternate location.
    C:\Program Files\Palo Alto Networks\Traps>
    cytool quarantine restore c92e84c0-1770-40d5-b5b8-544d02381ea6 C:\myfolder\not-malware.exe
    Enter supervisor password: Restored prevention c92e84c0-1770-40d5-b5b8-544d02381ea6 to C:\myfolder\not-malware.exe

Related Documentation