locked
Difference between Allow this threat and Restore files quarantined by this threat RRS feed

  • Question

  • Hi,

    In System Center Endpoint Protection (SCEP) does anyone know the difference between "Allow this threat" and "Restore files quarentined by this threat"? We have a valid file that we want to exclude but we want to be able to get alerted in the future if this file is accessed/downloaded by users. We are thinking that "Allowing this threat" is going to allow it for any future instances and we will not get alerted. We also think that "Restore files quarentined by this threat" is the way to go (it will allow it but we will still get alerted in the future in case someone access it. Unfortunately we cannot whitelist the path or the file name because of certain business requirement. We are ok allowing as we go (i.e. everytime SCEP finds it), but would like to still get future alerts on it. 

    Thanks

    Thursday, February 27, 2020 6:05 PM

All replies

  • Hi,

    Please find the answers you are looking for:

    Allow this threat - Creates an antimalware policy to allow the selected malware. The policy is deployed to the All Systems collection and can be monitored in the Client Operations node of the Monitoring workspace.

    Restore files quarantined by this threat - Opens the Restore quarantined files dialog box where you can select one of the following options:

    • Run the allow-threat or exclusion operation first to assure that files are not put back into quarantine - Restores the files that were quarantined because of the detected malware and also excludes the files from malware scans. If you do not exclude the files from malware scans, they will be quarantined again when the next scan runs.

    • Restore files without a dependency on the allow or exclusion job - Restores the quarantined files but does not add them to the exclusion list.

    Official Reference: https://docs.microsoft.com/en-us/configmgr/protect/deploy-use/endpoint-antimalware-firewall#remediate-detected-malware

    Hope this information helps.

    Cheers.

    Friday, April 3, 2020 9:25 AM