Managing file quarantine

1. Select the Responses > Quarantine menu and click on the Parameters tab.
   In the Predefined exclusions section, some system folders are excluded by default, as it would be inappropriate to quarantine their content. Folders are displayed in the form of EsaRoots variables.

2. Click on Edit in the upper banner.

3. Under Custom exclusions, enter the path to the folder containing the content you wish to protect. Generic characters are not allowed.

4. Enable the Recursive option if the content of sub-folders needs to be protected as well.

5. In the Owner field, select one of the Windows groups that owns the file if necessary, or enter a specific SID.

6. Click on to validate the line.

7. Add as many paths as needed and click on Save.

You can temporarily disable exclusions by unselecting the checkboxes on the left side of the lines.

Files can be quarantined:

• Automatically when a protection rule that you have configured is triggered. For more information on rule configuration, refer to Defining access control rules.

• Manually during remediation. For more information, see the section Managing remediation tasks.

Files located on a network share will not be quarantined.

During quarantine, files will be moved to the agent's local folder: C:\ProgramData\Stormshield\SES Evolution\Agent\Quarantine. Access to this folder is not allowed, even to administrators, and the files that it contains are encrypted.

1. Select the Responses > Quarantine menu and the General tab to display the list of quarantined files.
2. If necessary, use the Quarantine status and Agent group filters to narrow down the list. The statuses can either be Quarantined or Pending restoration.
3. Select a file in the list to display information on the file and the agent concerned in the panel on the right.

After the analysis, if you consider the file harmless and a false positive:

• Add an exception on the log and deploy the changes on all agents, so that the file will no longer be detected as malicious,

• Restore it to its original location. The file will be restored exactly as it was, with the same ACLs and same alternate data streams.

To restore the file:

1. Select the Responses > Quarantine menu and the General tab.

2. Right-click on the file to restore and select Restore selection.
   The Restore quarantined files window appears. All quarantined files with the same hash will be listed and selected for restoration.

3. Enable the option Overwrite existing file if the same file already exists in the original location and you wish to replace it.

4. If necessary, use the search field or the Quarantine status and Agent group filters to narrow down the list. The statuses can either be Quarantined or Pending restoration.
5. Unselect any files that you would like to keep quarantined. All files with the same hash will always be restored at the same time at their respective locations.
6. Click on Restore.
   A restoration task will be created and the status of the files will switch to Pending restoration. The files will then be moved from the quarantine repository to their original locations, and disappear from the Quarantine panel.

Files are kept in the quarantine repository for 40 days before they are automatically deleted. In addition, if the volume of the quarantine repository exceeds 1 GB, the oldest files will be automatically deleted to make space for new files.

You can also choose to manually remove files from the Quarantine panel. In this case, the files will no longer be displayed, but will remain on disk in the quarantine repository. They will then be automatically deleted after 40 days, or if the 1 GB limit is exceeded.

1. Select the Responses > Quarantine menu and the General tab.
2. Right-click on the file you want to delete, and select Delete selection.
3. Confirm deletion.
   The file will no longer appear in the list.