Manage Quarantined Files

When Traps detects malware on a Windows endpoint, you can take additional precautions to quarantine the file. When Traps quarantines malware, Traps moves it from the location on a local or removable hard-drive to a local quarantine folder (%PROGRAMDATA%\Cyvera\Quarantine) where it isolates the file. This prevents the file from attempting to run again or causing any harm to your endpoints.
There are two ways you can quarantine malicious files on Windows endpoints. You can quarantine a malicious file as a response to a security event, or you can enable Traps to quarantine malicious files automatically when detected. To enable Traps to quarantine files automatically, you configure the option in a Malware Security profile.
To evaluate whether an executable file is considered malicious, Traps calculates a verdict using information from the following sources in order of priority:
  • Hash exception policy
  • WildFire threat intelligence
  • Local analysis
Due to the nature of our ever-changing threat landscape, WildFire can reevaluate the nature of a file and, if it determines the file to be benign, update the WildFire verdict. You can also Create a Hash Exception to change the file verdict in your Traps management service tenant. You might create a hash exception if, after using available threat intelligence—such as from WildFire or AutoFocus—you believe a quarantined file is not malicious and is instead benign.
After Traps quarantines a file, you can:
  • View the quarantine status for a file involved in a security event.
    Traps management service displays the quarantine status in the details view of a security event.
    1. Select Security Events.
    2. Select the name of the Event for which you want to view the quarantine status.
      Traps management service displays additional details about the security event.
    3. In the Module area of the additional details view, identify the QUARANTINED FILE.
      Depending on the type of event, the quarantined file can be different than the source process for which the security event was reported. For example, if the source process (CGO) is signed by a trusted signer but involved in a behavioral threat event, the quarantined file can instead be the target of the malicious causality chain. In the case of macros, the security event shows the hash associated with the DOCUMENT and the hash and verdict associated with the MACRO.
    4. In the same area, view the QUARANTINE STATUS of the quarantined file.
      tms-security-event-quarantine-status.png
      The QUARANTINE STATUS is one of the following:
      • Quarantined—Traps successfully quarantined the file on the endpoint.
      • Quarantine Failed—Traps failed to quarantine the file.
      • Not Quarantined—Traps did not quarantine a file due to the malware security policy (Quarantine malicious files option is disabled).
      • Pending Restore—Traps management service has instructed the Traps agent to restore the file but the agent has not yet completed the action.
      • Restore Failed—The Traps agent failed to restore the file.
  • Review details about quarantined files.
    Traps management service displays all quarantined files in FilesQuarantine. To review details for a quarantined file:
    1. Locate the file in Quarantine.
      tms-restoration-candidates.png
      For each file, Traps management service displays the following information:
      • SHA256—Hash associated with the quarantined file.
      • Verdict—Verdict and verdict source (Local Analysis, WildFire etc). If a WildFire report is available, you can view the analysis details on the WildFire tab for the quarantined file (Review WildFire Analysis Details).
      • File Name—The name of file when Traps first logged an attempt to run the file. If there are multiple instances of the file, you can view other names associated with the same hash in the Endpoints area.
      • Endpoints—If the file was only quarantined on one endpoint, Traps management displays the name of the endpoint and an icon representing the platform type (only Windows endpoints support the quarantine feature). If the file was quarantined on multiple endpoints, this field displays the endpoint count.
      • Verdict Change Time—Time at which Traps management service received a verdict change.
      • Statuses—Summary of quarantine or restoration status including the number of endpoints associated with each status.
    2. Select the SHA256 to view additional details about the file.
      In addition to the fields above, Traps management service displays the following information for each endpoint on which the file was quarantined.
      tms-restoration-candidates-details.png
      • Endpoint—Hostname or alias and OS of the endpoint on which the file was quarantined.
      • Quarantined By—The user or service that initiated a quarantine action. This field can reflect Traps Agent Policy when the security policy triggers an automated quarantine action or the username and service that initiated the on-demand quarantined action. The service can be Traps management service or another service such as Cortex XDR – Investigation and Response.
      • File Path—Full path of the file before it was quarantined.
      • Status—Quarantine or restoration status of the file on the endpoint.
      • Security Event—Unique identifier and link to the original security event.
  • Restore a quarantined file to its original location.
    If Traps quarantined a file due to a Malware or unknown verdict, and you believe that file is not malicious and want to restore it to its original location, you must first Create a Hash Exception.
    You can restore a file using either of two methods:
    • From FilesQuarantine:
      Use this method to restore a single file or multiple files that now have a Benign verdict. If you select multiple files, Traps management service ignores the request for any files that do not have a Benign verdict. If you need to restore a file that currently has a malware verdict, you must do so From the details view of a security event or the quarantine file.
      1. Select the file and restore ( restore-icon.png ) it.
        tms-restoration-candidates-restore.png
        Traps management service prompts you to confirm your selection.
      2. Click Restore again to confirm. Traps management service sends the instruction to restore the file at the next heartbeat communication with the Traps agent on all endpoints on which the file was quarantined.
    • From the details view of a security event or the quarantine file:
      1. Select the appropriate restore action. The option varies depending on the verdict associated with the file and the exception status:
        • Create Exception and Restore—If the file has a Malware verdict, you must define an exception to set a Benign verdict before you can restore the file.
        • Replace Exception and Restore File—If the file has an exception which sets a Malware verdict (or sets a Benign verdict but is disabled), you must override it before Traps can restore the file.
      2. Review the details of the exception and enter any comments to explain the reason for the exception.
      3. Confirm the restore action to save the exception.
        Traps management service sends the instruction to restore the file at the next heartbeat communication with the Traps agent on all endpoints on which the file was quarantined.

Related Documentation