Restore a Quarantined File Using Cytool

If a quarantined file turns out not to be malware, you can restore it using the ESM Console or by using Cytool from a Windows endpoint.
Use the cytool quarantine list command to view details about all quarantined files on the endpoint. Or, to restore a file to its original location use the cytool quarantine restore <guid> command. To restore a file to a new location, use the cytool quarantine restore <guid> <filepath> command.
To view and restore quarantined details, you must enter the supervisor (uninstall) password when prompted.
Using Cytool, you can restore a file to any non-network writable file system including NTFS, ExFAT, FAT32, FAT16, ReFS.
  1. Open a command prompt as an administrator and navigate to the Traps folder (see Access Cytool).
  2. To view all files that Traps has quarantined on the endpoint, use the following command:
    C:\Program Files\Palo Alto Networks\Traps> cytool quarantine list
    The following example displays output for using cytool to query for all quarantined files.
    c:\Program Files\Palo Alto Networks\Traps>cytool quarantine list
    Enter supervisor password:
    Guid State Date/Time
    Path
    c92e84c0-1770-40d5-b5b8-544d02381ea6 Quarantined Thursday, August 18, 2016, 14:40:21 PM C:\Malware\malware1.exe
  3. To restore a quarantined file, use the following command:
    C:\Program Files\Palo Alto Networks\Traps> cytool quarantine restore <guid> <filepath>
    where <guid> is the unique identifier of the file. If you want to restore the executable file to its original location leave the <filepath> blank. Otherwise, enter the location—including the filename—to which you want to restore the executable file
    The following example displays output for using cytool to restore the malware1.exe file to an alternate location.
    C:\Program Files\Palo Alto Networks\Traps> cytool quarantine restore c92e84c0-1770-40d5-b5b8-544d02381ea6 C:\myfolder\not-malware.exe
    Enter supervisor password:
    Restored prevention c92e84c0-1770-40d5-b5b8-544d02381ea6 to C:\myfolder\not-malware.exe

Related Documentation