Managing Quarantined Files

Quarantine Management helps protect the network by isolating potentially harmful files and applications (malware, ransomware, suspicious files, and so on), preventing threats from spreading across the environment. It offers a centralized view, enabling security teams to manage quarantined items efficiently. Administrators can respond quickly to incidents, inspect suspicious content, and resolve issues by restoring safe files or removing malicious ones.

To view the Quarantine Management page, from the left navigation panel, click Asset Management > Quarantine Management.

Note - Quarantine Management feature is supported only on the Harmony Endpoint Security client for Windows version E89.05 and later.

00:03: Quarantine Management in Harmony Endpoint

00:05: gives you a safe and efficient way to deal with malicious and suspected files

00:09: across the organization. In this tutorial,

00:11: you will learn how to manage quarantined files in Harmony Endpoint.

00:16: From the Quarantine Management page, you can fetch files for deeper analysis,

00:20: restore clean files, or delete malicious

00:23: ones permanently. By combining visibility, control, and flexibility, Quarantine

00:27: Management helps reduce risk, accelerate incident response, and strengthen your overall

00:31: security posture.

00:33: To get started, log in to the Infinity Portal and select Harmony Endpoint.

00:39: From the left navigation panel, click "Asset Management".

00:42: To view the quarantine files. Click quarantine management.

00:45: This page allows you to view quarantined files grouped by either file or

00:49: device.

00:51: In the View by Files tab, each row represents a single file.

00:54: You can view details such as the file name, file path,

00:57: hash value, the blade that quarantined the file, its current status, and the number

01:01: of devices where the file was quarantined.

01:04: In the View by Devices tab, each row represents a single endpoint. It

01:08: displays the device name, operating system, version, and the total number of

01:12: quarantined files on that device.

01:15: From the Quarantine Management page, you can fetch a quarantined file, restore

01:19: a clean file that was quarantined, or delete a quarantine file.

01:23: Fetching a quarantined file allows you to securely

01:25: download it for analysis or inspection. To download a quarantined file, select

01:30: the checkbox relevant to the file and click Fetch file.

01:33: Select the destination for uploading the file, you can upload it to AWS

01:37: S3 or your organization's FTP server.

01:42: To upload a file to S3. Select S3, enter a password in the uploaded

01:46: file password, protected field and then click fetch.

01:49: You need this password to access the file on the AWS.

01:52: S3 server note that the file size should be less than 25 megabytes for uploading

01:56: to S3.

01:58: To upload the file to your organization's storage location via FTP,

02:01: select FTP, fill in the server details, login credentials, and

02:05: file path. Set a password to protect your uploaded file, then click 'Fetch' to

02:09: proceed.

02:10: The Restore Quarantined File option lets you recover files that were wrongly flagged as

02:14: threats. It also helps prevent future false detections by allowing exclusions

02:18: to be set.

02:20: Use the multi-select checkboxes to select the files

02:22: you want to restore.

02:24: Select Restore only to return the file to its original location.

02:27: However, if the same file is detected as malicious on any other

02:31: endpoint, it will be quarantined again.

02:34: Select Exclude and Restore to recover the file and add it to Global Exclusions.

02:38: This prevents the file from being flagged as malicious across all endpoints in

02:42: your network.

02:43: Click Proceed to complete the file restoration.

02:46: Deleting a quarantined file permanently removes it from the system.

02:51: Use the multi-select checkboxes to select the files

02:54: you want to delete permanently and click Delete.

02:57: In the Delete file confirmation pop-up that appears, click ‘Delete.

03:02: Once a file is deleted, it cannot be restored.

03:05: Thank you for watching the video.

Benefits

  • Centralized control: View and manage quarantined items across all endpoints from a unified location.

  • Safe investigation: Download and analyze quarantined files in a secure, password-protected format for further examination by SOC analysts.

  • Efficient threat response: Restore or delete files in bulk across impacted devices, swiftly addressing actual threats and false positives.

Viewing Quarantined Files and Applications

The Quarantine Management page shows all quarantined files and applications in two switchable views:

  • View by Files: Each row represents an individual file. Shows file details including name, path, hash, responsible blade, status, and the number of devices where this file was quarantined.

  • View by Devices: Each row represents an individual endpoint. It shows device details, including name, operating system, version, and the total count of quarantined files on that device.

To change the view, click Files or Devices next to View quarantined files.

Column Description

File name

Name of the quarantined file.

File hash

 Hash of the quarantined file.

File path

Location of the quarantined file on the device.

Active blade

Security blade that quarantined the file.

For example, Anti-MalwareClosed A component of the Endpoint Security client that protects against known and unknown viruses, worms, Trojan horses, adware, and keystroke loggers., Forensics, or File Protection.

Status on device

Status of the quarantined file.

  • Quarantined

  • Deleted

  • Restored

  • Failure / Error

Devices with files

Name of other devices that have the same quarantined file.

Quarantined date

Date on which the file was quarantined.

Last action

Recent action taken on the quarantined file.

Last device updated

The date on which the device was recently updated. (Appears only on Devices view)

Acting on Quarantined Files and Applications

Administratorscan take these actions on the quarantined files and applications:

Fetching (download) a quarantined file

The Quarantine Management page allows you to download quarantined files for further analysis or inspection and ensure secure handling.

Note - You can fetch only one file at a time.

To fetch a quarantined file:

  1. Choose the quarantined file to download.

  2. Select where you want to upload the file:

    • To upload the file to AWS S3:

      1. Select S3.

      2. In the Uploaded file password protected field, enter a password.

        You need this password to open the file in AWS S3.

      3. Click Fetch.

      Notes -

      • To upload a file to S3, the file size must not exceed 25 MB.

      • The file is retained only for 30 days in S3.

      • You can archive up to 100 MB of files.

    • To upload the file to your corporate FTP server:

      1. Select FTP.

      2. Enter your FTP server details.

      3. In the Password to protect uploaded file field, enter the password.

        You need this password to open the file in the FTP server.

      4. Click Fetch.

Restoring a quarantined file

Restoring a quarantined file allows an administrator to recover a file that was incorrectly identified as malicious.

Notes -

  • Restore a quarantined file if it was wrongly flagged (a false positive), and only after confirming that the file is safe.

  • To prevent the restored file from being quarantined again, you need to create a global exclusion.

To restore or exclude a quarantined file:

  1. Choose the file to restore using the multi-select checkboxes.

  2. Click Restore.

  3. Select one of these options:

    • To restore a file from quarantine, select Restore only.

      Notes:

      • The system restores the file to the same location from where it was quarantined.

      • If Harmony Endpoint detects the same file as malicious in any other endpoint, it quarantines the file again.

    • To restore a file and also exclude it from quarantine in the future, select Exclude and Restore.

      The system adds an exclusion to the Global Exclusions which affects all endpoints on the network, ensuring that the file is not flagged as malicious again.

  4. Click Proceed to complete the restoration.

    The system sends a push operation to the relevant device.

Deleting a quarantined file

Deleting a quarantined file permanently removes it from the system, ensuring it cannot be restored or executed again. This action is typically used for files identified as confirmed threats, such as malware or spyware.

To delete a quarantined file:

  1. Go to the Quarantine Management page.

  2. Using multi-select checkboxes, select the file you want to delete permanently.

  3. Click Delete.

    In the confirmation pop-up that appears, click OK.

    Note - Once a file is deleted, it cannot be restored.