Manage Quarantined Files

When Traps detects malware on a Windows endpoint, you can take additional precautions to quarantine the file. When Traps quarantines malware, Traps moves it from the location on a local or removable hard-drive to a local quarantine folder (
%PROGRAMDATA%\Cyvera\Quarantine
) where it isolates the file. This prevents the file from attempting to run again or causing any harm to your endpoints.
There are two ways you can quarantine malicious files on Windows endpoints. You can quarantine a malicious file as a response to a security event, or you can enable Traps to quarantine malicious files automatically when detected. To enable Traps to quarantine files automatically, you configure the option in a Malware Security profile.
To evaluate whether an executable file is considered malicious, Traps calculates a verdict using information from the following sources in order of priority:
  • Hash exception policy
  • WildFire threat intelligence
  • Local analysis
Due to the nature of our ever-changing threat landscape, WildFire can reevaluate the nature of a file and, if it determines the file to be benign, update the WildFire verdict. You can also Create a Hash Exception to change the file verdict in your Traps management service tenant. You might create a hash exception if, after using available threat intelligence—such as from WildFire or AutoFocus—you believe a quarantined file is not malicious and is instead benign.
After Traps quarantines a file, you can:
  • View the quarantine status for a file involved in a security event.
    Traps management service displays the quarantine status in the details view of a security event.
    1. Select
      Security
      Security Events
      .
    2. Select the name of the
      Event
      for which you want to view the quarantine status.
      Traps management service displays additional details about the security event.
    3. In the Module area of the additional details view, identify the
      QUARANTINED FILE
      .
      Depending on the type of event, the quarantined file can be different than the source process for which the security event was reported. For example, if the source process (CGO) is signed by a trusted signer but involved in a behavioral threat event, the quarantined file can instead be the target of the malicious causality chain. In the case of macros, the security event shows the hash associated with the
      DOCUMENT
      and the hash and verdict associated with the
      MACRO
      .
    4. In the same area, view the
      QUARANTINE STATUS
      of the quarantined file.
      tms-security-event-quarantine-status.png
      The
      QUARANTINE STATUS
      is one of the following:
      • Quarantined
        —Traps successfully quarantined the file on the endpoint.
      • Quarantine Failed
        —Traps failed to quarantine the file.
      • Not Quarantined
        —Traps did not quarantine a file due to the malware security policy (
        Quarantine malicious files
        option is disabled).
      • Pending Restore
        —Traps management service has instructed the Traps agent to restore the file but the agent has not yet completed the action.
      • Restore Failed
        —The Traps agent failed to restore the file.
  • Review details about quarantined files.
    Traps management service displays all quarantined files in
    Security
    Files
    Quarantine
    . To review details for a quarantined file:
    1. Locate the file in
      Quarantine
      .
      tms-restoration-candidates.png
      For each file, Traps management service displays the following information:
      • SHA256
        —Hash associated with the quarantined file.
      • Verdict
        —Current verdict and verdict source (Local Analysis, WildFire etc). If a WildFire report is available, you can view the analysis details on the WildFire tab for the quarantined file (Review WildFire Analysis Details).
      • File Name
        —The name of file when Traps first logged an attempt to run the file. If there are multiple instances of the file, you can view other names associated with the same hash in the Endpoints area.
      • Endpoints
        —If the file was only quarantined on one endpoint, Traps management displays the name of the endpoint and an icon representing the platform type (only Windows endpoints support the quarantine feature). If the file was quarantined on multiple endpoints, this field displays the endpoint count.
      • Verdict Change Time
        —Time at which Traps management service received a verdict change.
      • Statuses
        —Summary of quarantine or restoration status including the number of endpoints associated with each status.
    2. Select the
      SHA256
      to view additional details about the file.
      tms-restoration-candidates-details.png
      In addition to the fields above, Traps management service provides additional verdict information and details about the endpoints on which a file was quarantined.
      You can view the current verdict and verdict source as well as additional verdict information across other verdict-issuing sources. Comparing these verdicts can be useful when trying to determine whether to restore a quarantined file.
      Below the file details, you can also view the following information for each endpoint on which the file was quarantined.
      • Endpoint
        —Hostname or alias and OS of the endpoint on which the file was quarantined.
      • Quarantined By
        —The user or service that initiated a quarantine action. This field can reflect
        Traps Agent Policy
        when the security policy triggers an automated quarantine action or the username and service that initiated the on-demand quarantined action. The service can be Traps management service or another service such as Cortex XDR – Investigation and Response.
      • File Path
        —Full path of the file before it was quarantined.
      • Status
        —Quarantine or restoration status of the file on the endpoint.
      • Security Event
        —Unique identifier and link to the original security event.
  • Restore a quarantined file to its original location.
    If after you review details about a quarantined file you believe that file is not malicious and want to restore it to its original location, you must first Create a Hash Exception.
    You can restore a file using either of two methods:
    • From
      Security
      Files
      Quarantine
      :
      Use this method to restore one or more files that now have a Benign verdict. You can restore an unlimited number of files in a single bulk action. If you select multiple files, Traps management service ignores the request for any files that do not have a Benign verdict. If you need to restore a file that currently has a malware verdict, you must do so From the details view of a security event or the quarantine file.
      1. Select the file and restore ( restore-icon.png ) it.
        tms-restoration-candidates-restore.png
        Traps management service prompts you to confirm your selection.
      2. Click
        Restore
        again to confirm. Traps management service sends the instruction to restore the file at the next heartbeat communication with the Traps agent on all endpoints on which the file was quarantined.
    • From the details view of a security event or the quarantine file:
      1. Select the appropriate restore action. The option varies depending on the verdict associated with the file and the exception status:
        • Create Exception and Restore
          —If the file has a Malware verdict, you must define an exception to set a Benign verdict before you can restore the file.
        • Replace Exception and Restore File
          —If the file has an exception which sets a Malware verdict (or sets a Benign verdict but is disabled), you must override it before Traps can restore the file.
      2. Review the details of the exception and enter any comments to explain the reason for the exception.
      3. Confirm the restore action to save the exception.
        Traps management service sends the instruction to restore the file at the next heartbeat communication with the Traps agent on all endpoints on which the file was quarantined.

Related Documentation