Remotely Managing an Agent's Quarantine Directory

Note: This feature only applies to agents that are configured with a threat task or with Active Protection.

Each agent machine contains a quarantine directory that is used to temporarily store files suspected of containing threats (spyware, viruses, etc.). These threats have been detected and removed by either a threat scan or Active Protection. A file placed into quarantine will stay there for 30 days (the number is configurable), after which the file will be permanently deleted.

Placing a file into quarantine gives you and the end user the opportunity to evaluate the file. If you discover that a quarantined file is actually useful to you (for example, an Internet Explorer adware add-on that you happen to like), the file can be restored. It also enables you to determine the name and location of the file, which may help you to identify the origin of the threat.

An agent quarantine directory can be managed two ways:

The Manage Quarantine dialog is displayed. For example:

 

Refresh

Retrieves the latest quarantine information from the agent machine.

Add exception

Enables you to add the file name of the selected threat(s) to the Always allow list maintained on the Exceptions tab of one or more agent policies. The Always allow list defines specific programs that you always want to run. The policy change will take effect immediately for listening agents or at the next scheduled check-in interval.

Restore

Provides the ability to rollback a threat contained in the agent's quarantine directory. Rolling back a threat restores the machine to its original state before the threat was removed. Why would you want to rollback a threat? You may discover that the program inadvertently removed something that the end user found useful (for example, the Google toolbar icon on the Internet Explorer browser).

To restore a single item, select it and then click Restore. To restore multiple items at once, press the Ctrl key while selecting the desired items and then click Restore.

If you restore an item, you should also check to see if the item is contained in either the global or local Never Allow list. If it is in the Never Allow list and you don't remove it, the item will be quarantined again the next time it is detected.

Note: There are two Never Allow lists:
 - The global Never Allow list defined by the administrator in the agent policy
 - The local Never Allow list managed by the user of the agent machine (is overruled by the global list)

Delete

To delete an item from the quarantine directory, select it and then click Delete. To remove multiple items at once, press the Shift or Ctrl key while selecting the desired items and then click Delete.

Delete All

Deletes all items in the agent's quarantine directory.

Restore selected on all agents

Same as Restore, except that the selected items will be rolled back on ALL agents that contain the threat in their quarantine directory. The Operations Monitor will be displayed and can be used to determine which agents were affected.

Delete selected on all agents

Same as Delete, except that the selected items will be deleted from ALL agents that contain the threat in their quarantine directory. The Operations Monitor will be displayed and can be used to determine which agents were affected.

Right-click commands

You can right-click one or more items and perform the same actions as above. In addition, the following command is available:

Export selected quarantine items to CSV: Export information about the selected items to a Comma Separated Values (CSV) file. The CSV file can then be used within a spreadsheet program.

Trace information

Shows where the threat was located on the agent machine.