Restore a Quarantined File Using Cytool
If a quarantined file turns out not to be malware, you can restore it using the ESM Console or by using Cytool from the endpoint.
cytool quarantine listcommand to view details about all quarantined files on the endpoint. Or, to restore a file to its original location use the
cytool quarantine restore <guid>command. To restore a file to a new location, use the
cytool quarantine restore <guid> <filepath>command.
To view and restore quarantined details, you must enter the supervisor (uninstall) password when prompted.
Using Cytool, you can restore a file to any non-network writable file system including NTFS, ExFAT, FAT32, FAT16, ReFS.
- Open a command prompt as an administrator and navigate to the Traps folder (see Access Cytool).
- To view all files that Traps has quarantined on the endpoint, use the following command:C:\Program Files\Palo Alto Networks\Traps>cytool quarantine listThe following example displays output for using cytool to query for all quarantined files.c:\Program Files\Palo Alto Networks\Traps>cytool quarantine listEnter supervisor password: Guid State Date/Time Path c92e84c0-1770-40d5-b5b8-544d02381ea6 Quarantined Thursday, August 18, 2016, 14:40:21 PM C:\Malware\malware1.exe
- To restore a quarantined file, use the following command:C:\Program Files\Palo Alto Networks\Traps>cytool quarantine restore <guid> <filepath>where<guid>is the unique identifier of the file. If you want to restore the executable file to its original location leave the<filepath>blank. Otherwise, enter the location—including the filename—to which you want to restore the executable fileThe following example displays output for using cytool to restore the malware1.exe file to an alternate location.C:\Program Files\Palo Alto Networks\Traps>cytool quarantine restore c92e84c0-1770-40d5-b5b8-544d02381ea6 C:\myfolder\not-malware.exeEnter supervisor password: Restored prevention c92e84c0-1770-40d5-b5b8-544d02381ea6 to C:\myfolder\not-malware.exe
Restore a Quarantined File
Restore a Quarantined File When malware is launched on the endpoint, and Traps is enabled to quarantine files, Traps take immediate action to quarantine the ...
Manage Quarantined Files
Manage Quarantined Files When Traps identifies malware, it blocks the execution of the file. If you enabled Traps to quarantine malware as part of your ...
Use the Security Policy to Manage Service Protection
Use the Security Policy to Manage Service Protection After changing protection settings using Cytool, you can restore the default security policy at any time using ...
Cytool Cytool is a command-line interface that is integrated into Traps that enables you to query and manage basic functions of Traps. Changes made using ...
Settings - Agent
Settings - Agent The following table displays the agent settings logs you can forward to an external logging platform or email. Event Name Description Agent ...
Malware Remediation Traps can now quarantine malicious executable files on the endpoint. To evaluate whether an executable file is considered malicious, Traps uses information from ...
Enable or Disable Traps File Protection Settings on the Endpoint
Enable or Disable Traps File Protection Settings on the Endpoint To prevent attackers from tampering with the Traps files, use the cytool protect enable file ...
Enable or Disable Registry Protection Settings on the Endpoint
Enable or Disable Registry Protection Settings on the Endpoint To prevent attackers from tampering with the Traps registry keys, use the cytool protect enable registry ...
View Traps Runtime Components on the Endpoint
View Traps Runtime Components on the Endpoint Use the cytool runtime query command to view the status of Traps components on the endpoint. When a ...