Tags
malware activity virus scope autoruns Proxy servers fallback flag Inactive discovered devices SNMP Apple Device Enrollment Program set up service explorer manually deploy Comodo EDR agent parent process multiple ticket selection selected tickets security events folder transfer discoveries network management remote folder TLS TLS1.2 pci dss pci compliance ITarian Portal Endpoint Manager vdi environment vdi clone environment instant clone documentation vendor notice security dashboard events resolution remote tool partner onboard itarian unknown file hunter TLS Encryption procedure parameters pass profiles history performance metrics real time remote endpoints download browse service URL Security Components system Global Software Inventory 2 minutes Integrate intagrate Active Directory Portable Interception SSL enable reporting Rule Threat Protection Rule Advance spam Customize archived outgoing incoming administrator validate domains add Antispam type PCI data loss Location Network information start software session extensions appoinments resource connection computers Comodo Rescue Disk infected opportunity opportunities custom relationship management quote COMODO-CRM protect mac device email notifications registry COM Quarantined point system restore msi contained applications processes security client events Release date department registration particular os section Two Factor Authentication Login interface dashboard report generate Direct Download Link One drive Google drive HIPS mode cleanup automatic suspicious suspicious certificates shellcode injection detect Elevated Access system user access default charging groups move current malware list store push IP address ip installer acronis auto-remediation server machine icon Product Logos Rebrand backup Device Control data Chromoting WebRTC ports Protocol skip offline manual time entries ticket assignee Help Guide Tour schedule Reschedule appointment unknown application protection virtual desktop Local Verdict server manage calculation cost configuration charging SD contract prepaid hours products classification inventory analyze Device list OS patches global search bar Tool bar Windows Defender Security Center file group white Citrix record SPF work billable time onsite email template template variables emails Gmail SMTP disable Add collaborators admin action Audit logs feature requests submit vote remotely Reset proxy swg secure web gateway dome error disk ticket detail page thread section tickets section internal notes Sub-help topic help topic features Application control white_list Patch Management child parent scheduled customized get to headers columns company restrict customer technician remote access list iOS devices field Reports iOS device APN Certificate MAC OS X options Linux block Comodo Client Communication (CCC) allow Comodo Client Security (CCS) network zones active component tray icon hide show packages additional install block port baseline installation package bulk implement restrict firewall endpoints security and communication global export virus import Database folders files define exclusions change staff admin rating check reassign assign permissions new role create for user of device enroll associated use how profile specific Removing Devices Uninstall windows profile Configuration templates latest version clients comodo file ratings monitoring custom All Devices Ratings Track widgets Agent valkyrie malware files Kill chain report automated establishing endpoint remote session Users prevent Android organization windows assets Mac OS billing identified threats Sort Closed inside Program executed containment service desk remote control Locally runs update scan antivirus SLA Business Hours control CCS Password access Client Auto Specific Device Response Application Third party Status View Logs intended devices alert fails Company Information Configure Verdict Patch Procedures Executable Comodo Internet Security ITSM Analysis Command Line Heuristic Filter Unrecognized Trusted File Rate Malicious Purge Calendar Device Exclusion USB Admin Panel Settings ticket Default system-wide Specific Path Details Monitor Multi Set Currency Connected Who Quick Actions Comparison Version Enterprise Managed Service Provider C1 Portal Remote management Comodo Remote Control ticket management staff panel assign tickets
More

How to manage quarantined items in Endpoint Manager

Release Time
02/22/2018
Views
1280 times
Category
Security Sub-System
Tags

Open Endpoint Manager > Click 'Security Sub-Systems' > 'Antivirus' > 'Quarantined Files' tab

  • Comodo Client Security (CCS) neutralizes any threats it discovers by placing them in quarantine on an endpoint.
     
  • Quarantine is a secure holding area for potentially dangerous files. All quarantined files are encrypted, so they cannot run or cause harm to the computer.
     
  • You can review all quarantined files on your network from the Endpoint Manager interface. You can restore them, delete them, change their trust rating, or submit them to Valkyrie.
     
    • Valkyrie is an advanced file analysis service designed to establish the trust rating of unknown files. The service runs a battery of dynamic and static tests on a file to determine whether or not it is malware
       
  • This article explains how to use the Endpoint Manager to review and manage quarantined files.

How do items get quarantined?

Open the quarantine area

Restore items to their original location

Delete quarantined items

Assign a new trust rating to an item

Manage quarantine locally instead

How do items get quarantined?

  1. Because of settings in the ‘Antivirus’ section of the device profile
     
    • Real Time Scan Settings - ‘Show antivirus alerts' is disabled with 'Quarantine Threats' is set as the default action

      … or ‘Show antivirus alerts' is enabled, and the end-user quarantined the threat at an alert.
       
    • On-demand scan settings - 'Automatically clean threats' is enabled and 'Quarantine' is set as the action.
       
  2. Because an admin or end-user manually moved the threat into quarantine. This may have been done in Endpoint Manager, or locally at the endpoint.

Open the quarantined items area

  • Log into ITarian
     
  • Click ‘Applications’ > ‘Endpoint Manager’
     
  • Click 'Security Sub-Systems' > 'Quarantine Files'
     
  • The interface shows every quarantined item on all Windows, Linux and Mac devices. Click the funnel icon on the right to filter the list.



     
  • Each row represents an individual file. The same file might be quarantined on multiple machines.
     
  • Click the number in the ‘Devices...’ column to view all devices on which the file is quarantined. You can also apply actions to individual devices from this screen, rather than to every device:



 

Click the following links for more help:

Restore items to their original location

Delete quarantined items

Assign a new trust rating to an item

Manage quarantine locally instead

Restore items to their original location

You may want to restore an item if you think it is a false-positive. False-positives are files that you deem as safe, but which CCS has quarantined as malware.

  • Click 'Security Sub-Systems' > 'Antivirus' > 'Quarantined Files'
     
  • Select the items that you want to restore. Click the funnel icon on right to search for specific files
    .
  • Click 'Restore File on Devices' from the options at the top.



     
  • This will restore the item to its original location on every device.
     
  • If you only want to restore the file on specific devices, then click the number in the ‘Devices...’ column. The device list screen lets you restore items on individual devices.
     
  • Note – Even though you have restored the file, it will still get flagged as a threat by the next virus scan. If you want to avoid this then choose ‘Rate as trusted’ instead. This will restore the file AND make sure it isn’t flagged by future virus scans.

Delete quarantined items

If you have reviewed a quarantined file and confirmed it is malware, then you should delete it from the device.

  • Click 'Security Sub-Systems' > 'Antivirus' > 'Quarantined Files'
     
  • Select the items that you want to delete. Click the funnel icon on right to search for specific items.
     
  • Click 'Delete File from Devices' from the options at the top:


     

    Click 'Confirm' in the confirmation dialog.

  • The file will be removed from every device on which it was quarantined.
     
  • If you only want to delete the file from specific devices, then click the number in the ‘Devices...’ column instead. The device list screen lets you remove items from individual devices.

Assign a new trust rating to an item

A file rating determines how CCS interacts with a file on an endpoint.

  • Click 'Security Sub-Systems' > 'Antivirus' > 'Quarantined Files'
     
  • Select the items whose rating you want to change. Click the funnel icon on right to search for specific items.

You can change the rating of a file with the buttons highlighted in the following screenshot:


 

Rate as Unrecognized

  • The file is restored to its original location on the device and given a trust rating of ‘Unrecognized’.
     
  • The file will run in the container the next time it executes. Files in the container are isolated from the rest of the endpoint so it cannot cause any damage.

Rate as Trusted

  • The file is restored to its original location on the device and given a trust rating of ‘Trusted’.
     
  • Trusted files are considered safe by CCS and are allowed to run as normal. Trusted files will not get flagged as a threat by future virus scans.

Rate as Malicious

  • The file will remain in quarantine on the device with a trust rating of ‘Malicious’.

The file will remain in the list of quarantined items in Endpoint Manager. If you want to remove the item entirely, then choose ‘Delete file from device’ instead.

Click ‘OK’ to apply your changes.

This will apply the trust rating to the file on every device. If you only want to change the file’s rating on specific devices, then click the number in the ‘Devices...’ column. The device list lets you apply ratings to files on individual devices.

Manage quarantine locally instead

As an alternative to managing quarantined files via Endpoint manager, you can manage them locally in the Comodo Client Security (CCS) interface.

  • Windows CCS - Click 'Tasks' > 'General Tasks' > 'View Quarantine'
     
  • Linux and Mac CCS - Click 'Antivirus' > 'Quarantined Items'

CCS lets you perform similar actions on quarantined files as those described in this article.

See https://wiki.itarian.com/frontend/web/topic/how-to-manage-quarantined-files-in-ccs for help on this.

Further reading

Manage quarantine locally in Comodo Client Security

 

View and Manage Quarantined Items

How to view and manage unprocessed malware on your endpoints