Quarantine is a special storage location on the device for files that may be infected with viruses or cannot be disinfected at the time of detection. Quarantine allows isolating a file for further investigation. In contrast to the Quarantine, Backup stores backup copies of files that were deleted or modified during the disinfection process. If Kaspersky Endpoint Security detects malicious code in a file, such a file is automatically placed in Backup.
The application only uses Quarantine when integrated with Detection and Response solutions to perform recommended threat response actions. When the application is integrated with Kaspersky Endpoint Detection and Response Optimum, you can also manually quarantine files that you consider dangerous for your device.
Quarantined files are stored in an encrypted form and do not threaten the security of the device. Quarantined files may contain personal data.
Some files can be critically important for the operation of the operating system and the application. Quarantining such files can disrupt the operation of the system.
Placing a file in quarantine is possible only if one of the following conditions is met:
The directory for storing quarantined files must be writable.
When integrated with the Kaspersky Endpoint Detection and Response (KATA) component, files can be quarantined using a task that is configured on the Kaspersky Endpoint Detection and Response (KATA) side.
When integrated with the Kaspersky Endpoint Detection and Response Optimum solution, you can quarantine a file in the following ways:
A file may also be quarantined automatically as a result of detection of indicators of compromise.
For more information about managing Quarantine as part of solutions, see the Kaspersky Anti Targeted Attack Platform Help and Kaspersky Endpoint Detection and Response Optimum Help.
You can also manage quarantined files in Kaspersky Security Center or locally on the device using the command line. You can view information about quarantined files, and delete and restore files from quarantine.
To manage quarantined files in Kaspersky Security Center, you need to enable the transfer of data about quarantined files to the Administration Server.
Restoring, deleting, or retrieving a file from Quarantine is available regardless of whether integration with the Kaspersky Endpoint Detection and Response (KATA) component or the Kaspersky Endpoint Detection and Response Optimum solution is enabled, and regardless of whether a policy is applied to the device. Activation of the EDR Optimum component and the Kaspersky Anti Targeted Attack Platform solution also does not affect the ability to perform these actions.
The general list of files quarantined by Kaspersky applications on client devices is kept in Kaspersky Security Center and is available in the Administration Console (Advanced → Repositories → Quarantine) and the Web Console (Operations → Repositories → Quarantine). Kaspersky Security Center does not copy files from Quarantine storages to the Administration Server; all files are stored in Quarantine storages on client devices. For detailed information about managing quarantined files in Kaspersky Security Center, refer to the Kaspersky Security Center Help.
The quarantined file is restored to its original location according to the specified settings. Once the restoration process is complete, the application deletes the quarantined copy of the restored file.
Restoring a file from quarantine fails in the following cases:
In this case, the application moves the file to the folder /var/opt/kaspersky/kesl/common/restored/. You can manually move the file from this folder to the desired folder.
Deleting a file from quarantine fails in the following cases:
You can configure quarantine settings on a device using a policy in the Web Console or in the Administration Console or using the command line. You can configure the following Quarantine settings: