Quarantine

Last modified by Sabrina V. on 2024/10/08 11:35

Files that are detected by the Microsoft Defender anti-virus scanner as a real or possible threat are automatically moved to Quarantine. The administrator can then decide what to do with the file. It can be left in quarantine until it is automatically deleted, or, if it is a false alarm, it can be removed from quarantine using a recovery job. If the false alarm is a regular occurrence, you can also add the file to an exclusion so that it is no longer automatically quarantined.

Quarantäne.PNG

Tab Quarantine

Viewing quarantined files

All files that have been quarantined on the Client can be viewed in a list on the Quarantine tab. They are listed according to how recently they were quarantined.

Each quarantine entry has the following properties:

File pathFile name and file path
ThreatDetected threat that caused the file to be quarantined
SeverityWarning level of the threat, which itself can be divided into 4 levels: high, medium, low and unknown.
Status

Status of the quarantine entry, which is divided into 5 statuses:

1. In Quarantine

The file is in quarantine on the client.

2. Restore requested

A restore job has been started and is in progress.

3. Failed

Appears when a restore job has failed. The exact error can be viewed in the logs on the ribbon bar under Job Monitor.

4. Was in quarantine

The file no longer exists on the Client, e.g. it has been deleted from Quarantine.

5. Restored

The restore job was successful and the file has been restored.

Time of detectionDate and time the file was moved to quarantine
Restoring userAdministrator who restored the file
Recovery dateDate the quarantined file was restored
CategoryClassification of the quarantined file, e.g. virus, worm, Trojan, etc.
Recovery reasonReason for restoring the file, optionally entered by the administrator
Continuing informationLink to further information

You can also view these properties in the Client Details or use them as fields in queries and reports.

You can also select each quarantine item individually and view more detailed quarantine item details.

Restoring files

Files that have been quarantined by mistake, but are safe, can be moved out of quarantine using a restore job. To do this, select the required item from the quarantine items and click Restore in the ribbon bar. In the meantime, the file will have the status 'Restore requested'. If the restore was successful, it will have the status 'Restored'; if the restore failed, it will have the status 'Error'. You can then see the exact error in the Job Monitor. If a file keeps ending up in Quarantine by mistake, you can add it to an exclusion.

Adding exclusions for specific files

If you find that a particular file is repeatedly mistakenly detected as a threat by the Windows Defender Scanner, you can add it to an exclusion.

From the Quarantine tab on the ribbon bar, use Add exclusion to decide which item to add to the exclusion. You can choose to exclude specific files, file extensions, entire directories, or processes. The file will no longer be automatically moved to Quarantine.

Deleting quarantined items from the Client

Hinweis  Note:  

Please note that deleting a quarantined file as a remote action for the Client is not supported by Microsoft.

However, you have the option in ACMP to run an automated delete action on obsolete quarantine files after a specified period of time. To do this, go to the Configuration Profiles > Real-time protection tab. Under Quarantine, you can then set the time after which a file is automatically deleted from quarantine. The default setting is 40 days.

The effect of this setting is that quarantined files are considered obsolete after the specified period and are automatically removed from the Client without any further action by the Administrator.

Deprecating quarantine files from the ACMP database

Once quarantined files have been restored to the Client or automatically deleted, they are given the status of 'Restored' or 'Was in Quarantine'. The associated metadata remains in the ACMP database for a period of time. This allows administrators to use these entries to track information beyond file deletion, even if the quarantine file no longer exists on the client.

These quarantine entries are later deleted from the ACMP database via a cleanup job. Here you can set both the time period after which these entries are deleted and the general interval at which the cleanup job runs on the server. To do this, go to System > Settings in the navigation. Under Scheduled Server Tasks in the ACMP Server root level, you will find the Defender Events cleanup under Defender Management. By default, this cleanup starts every 5 hours and deletes items in the database that are older than 30 days. You can change the default settings by double-clicking on the entry in the wizard that appears and setting the desired time periods.

Hinweis  Note:  

Only quarantine items with the status 'Was in quarantine' or 'Restored' will be deleted. Entries for files that are still in quarantine are not deleted.

© Aagon GmbH 2024
Besuchen Sie unsere neue Aagon-Community