Restore a Quarantined File

When malware is launched on a Windows endpoint, and Traps is enabled to quarantine files, Traps take immediate action to quarantine the malicious executable file. To evaluate whether an executable file is considered malicious, Traps uses information from the following sources:
  • WildFire threat intelligence
  • Local analysis
  • Administrative hash control policy (a verdict override configured in the ESM server cache)
When any of theses sources identify malware, Traps moves the malware from the local folder or removable hard-drive to a local quarantine folder (
). If user alerts are enabled, Traps also notifies the user about the quarantined file.
If after using available threat intelligence—such as from WildFire or AutoFocus—you believe the quarantined file is not malware and is benign, you can update your hash control policy and then restore the executable file to its original location (either on the endpoint, or on a removal drive).
When the same malware file (same filename and hash) runs from multiple locations, the
Hash Control
page only displays information about the last instance. As a result, if you choose to restore a file, you can only restore the last instance.
Each time you restore an executable file, the ESM Console sends a one-time action rule to the agent to restore the file. You can also use Cytool to view and restore quarantined files (see Restorea Quarantined File Using Cytool). To view the quarantine and restoration status, view the logs or configure the ESM to send logs to an external logging server.
  1. Review quarantined files.
    Each time Traps quarantines a file, the ESM Console logs a quarantine event. The ESM Console also updates the hash control record to indicate the quarantine status and number of endpoints on which the file was quarantined.
    1. Log in to the ESM Console and select
      Hash Control
    2. From the action menu , select
      Restore Candidates
      . The ESM Console filters the results to display only quarantined files. You can also filter the Quarantined column by the value
      . (To return to the unfiltered review of hashes and refresh the results, remove the filter at the top of the table or select
      Hash Control
      from navigation menu on the left.)
    3. To view additional information about the executable file, select the row for a hash record. The row expands to display additional fields.
    4. To view the endpoints on which the executable file was quarantined, click
      Agent List
      . The Quarantined Status column indicates whether quarantine was successful on each endpoint. Click the
      to close the agent list.
  2. Configure an administrative hash control policy for the executable file. Each time a user attempts to run an executable file, Traps evaluates whether the file is malware and whether to quarantine the file. If you choose to restore an executable file but do not change the Hash Control policy, the next time a user attempts to run the file, Traps blocks and then quarantines the file again. Therefore, to prevent Traps from continuing to block and quarantine a file, you must configure an administrative hash control policy to
    Treat as Benign
    In the additional details view of the hash record, select
    Treat as Benign
    . You can also select the checkbox next to the row or rows and select
    Treat as Benign
    from the action menu . This changes the verdict in the server cache from Malware to Benign.
  3. Restore a quarantined file.
    In the expanded details view for the hash record, click
    and confirm the action to restore the file on one or more endpoints. You can also select the checkbox next to the row or rows and select
    from the action menu . When Traps receives the request at its next heartbeat communication with the ESM Server, it attempts to restore the file to its original location on each endpoint.
    button is disabled (grayed out) if the file is not quarantined.
  4. (
    ) View logs for restored files on the agent.
    You can also forward reports for these events to an external logging server or to an email address. See Reportsand Logging.
    , Filter the Report Type by any of the following events:
    • File Restore Succeeded
      —Traps successfully restored an executable file to its original location on an endpoint.
    • File Restore Failed
      —Traps failed to restore an executable file to its original location on an endpoint.

Recommended For You