Restore a Quarantined File Using Cytool

If a quarantined file turns out not to be malware, you can restore it using the ESM Console or by using Cytool from a Windows endpoint.
Use the
cytool quarantine list
command to view details about all quarantined files on the endpoint. Or, to restore a file to its original location use the
cytool quarantine restore <guid>
command. To restore a file to a new location, use the
cytool quarantine restore <guid> <filepath>
command.
To view and restore quarantined details, you must enter the supervisor (uninstall) password when prompted.
Using Cytool, you can restore a file to any non-network writable file system including NTFS, ExFAT, FAT32, FAT16, ReFS.
  1. Open a command prompt as an administrator and navigate to the Traps folder (see Access Cytool).
  2. To view all files that Traps has quarantined on the endpoint, use the following command:
    C:\Program Files\Palo Alto Networks\Traps>
    cytool quarantine list
    The following example displays output for using cytool to query for all quarantined files.
    c:\Program Files\Palo Alto Networks\Traps>
    cytool quarantine list
    Enter supervisor password: Guid State Date/Time Path c92e84c0-1770-40d5-b5b8-544d02381ea6 Quarantined Thursday, August 18, 2016, 14:40:21 PM C:\Malware\malware1.exe
  3. To restore a quarantined file, use the following command:
    C:\Program Files\Palo Alto Networks\Traps>
    cytool quarantine restore <guid> <filepath>
    where
    <guid>
    is the unique identifier of the file. If you want to restore the executable file to its original location leave the
    <filepath>
    blank. Otherwise, enter the location—including the filename—to which you want to restore the executable file
    The following example displays output for using cytool to restore the malware1.exe file to an alternate location.
    C:\Program Files\Palo Alto Networks\Traps>
    cytool quarantine restore c92e84c0-1770-40d5-b5b8-544d02381ea6 C:\myfolder\not-malware.exe
    Enter supervisor password: Restored prevention c92e84c0-1770-40d5-b5b8-544d02381ea6 to C:\myfolder\not-malware.exe

Related Documentation