none
Question Regarding Endpoint Quarantine Process

    Question

  • When Endpoint states it has detected and Quarantined an infection, what is it's process for removal?

    I've come across infections on our machines that Endpoint states it Quarantined. After reboot and removal from the Quarantine chest, you can still see that file located in the found path. about 30-45% of the time, later in the day or the following the day, the same file comes back up in a new report. 

    Kicker is, I've tested by cleaning out manually, the downloads, temp folders where 90% of these infections are found. In doing so, that machine doesn't come back on the report later on. 

    Good example:

    This morning a machine showed up on my report. The infection was located at:

    Malware file path: file:_C:\Users\xxxxxx\Downloads\Unconfirmed 573181.crdownload 

    I ran a full scan, it came back clean. About 10 minutes ago, the same machine, same file came back in a new report. Same file, same location. 

    This time around, i cleared out the history (Quarantine Chest), temp folders, IE cache, downloads. I am willing to bet that unless this user tries to download this file again, it won't come back.

    When Endpoint Quarantines a file, does it not remove it physically from the location it was found in? I could see a rootkit putting files back. However a lot of these infections, once you manaully clean the folders, the machines don't normally come back on the report, unless the user gets something else.

    Monday, March 12, 2018 6:22 PM

All replies

  • Quarantine put files in isolated location and it could not execute.

    Quarantine is as good as removing but when you remove it, you have no way to recover it, but when it is quarantine, you could restore file (good for false-positives) . You could set days to remove quarantine. But I guess there is another issue, make be cache file are containing malware. You need to investigate file and submit suspicious samples to Microsoft Malware Protection Center.

    Thursday, March 29, 2018 5:50 PM