Skip to content

Commit

Permalink
Clarify options for managing quarantined files
Browse files Browse the repository at this point in the history
  • Loading branch information
@natasha-moore-elastic
natasha-moore-elastic committed Aug 31, 2023
1 parent 6d6f7f4 commit ad7ecd7
Showing 1 changed file with 10 additions and 2 deletions.
12 changes: 10 additions & 2 deletions docs/getting-started/configure-integration-policy.asciidoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,6 +70,13 @@ Malware protection also allows you to manage a blocklist to prevent specified ap
extending the list of processes that {elastic-defend} considers malicious. Use the **Blocklist enabled** toggle
to enable or disable this feature for all hosts associated with the integration policy. To configure the blocklist, refer to <<blocklist>>.

[role="screenshot"]
image::images/install-endpoint/malware-protection.png[Detail of malware protection section.]

[discrete]
[[manage-quarantined-files]]
=== Manage quarantined files

When *Prevent* is enabled for malware protection, {elastic-defend} will quarantine any malicious file it finds. Specifically {elastic-defend} will remove the file from its current location, encrypt it with the encryption key `ELASTIC`, move it to a different folder, and rename it as a GUID string, such as `318e70c2-af9b-4c3a-939d-11410b9a112c`.

The quarantine folder location varies by operating system:
Expand All @@ -81,8 +88,9 @@ The quarantine folder location varies by operating system:

To restore a quarantined file to its original state and location, <<add-exceptions, add an exception>> to the rule that identified the file as malicious. If the exception would've stopped the rule from identifying the file as malicious, {elastic-defend} restores the file.

[role="screenshot"]
image::images/install-endpoint/malware-protection.png[Detail of malware protection section.]
You can access a quarantined file by using the `get-file` <<response-action-commands,response action command>> in the response console. To do this, copy the path from the alert's **Quarantined file path** field (`file.Ext.quarantine_path`), which appears under **Highlighted fields** in the expandable flyout. Then paste the value into the `--path` parameter. This action doesn't restore the file to its original location, so you will need to do this manually.

NOTE: Response actions and the response console UI are https://www.elastic.co/pricing[Enterprise subscription] features.

[discrete]
[[ransomware-protection]]
Expand Down

0 comments on commit ad7ecd7

Please sign in to comment.