Manage Quarantined Files - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-16
Category
Administrator Guide
Abstract

You can review and manage all files that have been quarantined by the agent due to a security incident.

When the agent detects malware on a Windows endpoint, you can take additional precautions to quarantine the file. When the agent quarantines malware, it moves the file from the location on a local or removable drive to a local quarantine folder (%PROGRAMDATA%\Cyvera\Quarantine) where it isolates the file. This prevents the file from attempting to run again from the same path or causing any harm to your endpoints.

To evaluate whether an executable file is considered malicious, the agent calculates a verdict using information from the following sources in order of priority:

  • Hash exception policy

  • WildFire threat intelligence

  • Local analysis

Quarantining a file in Cortex XSIAM can be done in one of two ways:

  • Enable the agent to automatically quarantine malicious executables by configuring quarantine settings in the Malware security profile.

  • Right-click a specific file from the causality card and select Quarantine.

  1. View the quarantined files in your network.

    Navigate to Incident ResponseResponseAction CenterFile Quarantine. Toggle between DETAILED and AGGREGATED BY SHA256 views to display information on your quarantined files.

  2. Review details about quarantined files.

    In the Detailed view, filter and review the Endpoint Name, Domain, File Path, Quarantine Source, and Quarantine Date of all the quarantined files.

    • Right-click one or more rows and select Restore all files by SHA256 to reinstate the selected files.

      Note

      This will restore all files with the same hash on all of your endpoints.

    • In the Hash field, right-click to:

      • Open in VirusTotal—Review the quarantined file inspection results on VirusTotal. You will be redirected in a new browser tab to the VirusTotal site and view all analysis details on the selected quarantined file.

      • Open Hash View—Drill down on each of the process executions, file operations, incidents, actions, and threat intelligence reports relating to the hash value.

      • Open in Quick Launcher—Search for where the hash value appears in Cortex XSIAM.

    • Export to file a detailed list of the quarantined hashes in a TSV format.

    In the Aggregated by SHA256 view, filter and review the Hash, File Name, File Path, and Scope of all the quarantined files.

    • Right-click a row and select Additional Data to open the Quarantine Details page detailing the Endpoint Name, Domain, File Path, Quarantine Source, and Quarantine Date of a specific file hash.

    • Right-click and select Restore to reinstate one or more of the selected file hashes.

    • Right-click and select Delete all files by SHA256 to permanently delete quarantined files on the endpoint.

    • In the Hash field, right-click to:

      • Open in VirusTotal—Review the quarantined file inspection results on VirusTotal. You will be redirected in a new browser tab to the VirusTotal site and view all analysis details on the selected quarantined file.

      • Open Hash View—Drill down on each of the process executions, file operations, incidents, actions, and threat intelligence reports relating to the hash.

      • Open in Quick Launcher—Search for where the hash value appears in Cortex XSIAM .