Move file to Quarantine

Expand all | Collapse all

When reacting to threats, Kaspersky Endpoint Detection and Response can create Move file to Quarantine tasks. This is necessary to minimize the consequences of the threat. Quarantine is a special local storage on the computer. The user can quarantine files that the user considers dangerous for the computer. Quarantined files are stored in an encrypted state and do not threaten the security of the device. Kaspersky Endpoint Security uses Backup as a file storage. For details on managing Quarantine as part of solutions, please refer to the Kaspersky Endpoint Detection and Response Optimum Help.

You can create Move file to Quarantine tasks in the following ways:

• In alert details (only for EDR Optimum).

  Alert Details is a tool for viewing the entirety of collected information about a detected threat. Alert details include, for example, the history of files appearing on the computer. For details about managing alert details, refer to the Kaspersky Endpoint Detection and Response Optimum Help.

• Using the Task Wizard.

  You must enter the file path or hash (SHA256 or MD5), or both the file path and the file hash.

The Move file to Quarantine task has the following limitations:

• The file size must not exceed 100 MB.
• System Critical Objects (SCO) cannot be quarantined. SCOs are files that the operating system and the Kaspersky Endpoint Security for Mac application require to be able to run.
• You can configure the task for EDR Optimum in Web Console.
• The Backup capacity is limited by the free disk space.

To create a Move file to Quarantine task:

1. In the main window of the Web Console, select Devices > Tasks.

   The list of tasks opens.

2. Click Add.

   The New task wizard starts.

3. Configure the task settings:
   1. In the Application drop-down list, select Kaspersky Endpoint Security for Mac (12.1).
   2. In the Task type drop-down list, select Move file to Quarantine.
   3. In the Task name field, enter a brief description.
   4. Select one of the following options:
      • Assign task to an administration group

        The task is assigned to devices included in an administration group. You can specify one of the existing groups or create a new one.

        For example, you may want to use this option to run a task of sending a message to users if the message is specific for devices included in a specific administration group.

        If a task is assigned to an administration group, the Security tab is not displayed in the task properties window because group tasks are subject to the security settings of the groups to which they apply.

      • Specify device addresses manually or import addresses from a list

        You can specify NetBIOS names, DNS names, IP addresses, and IP subnets of devices to which you want to assign the task.

        You may want to use this option to execute a task for a specific subnet. For example, you may want to install a certain application on devices of accountants or to scan devices in a subnet that is probably infected.

      • Assign task to a device selection

        The task is assigned to devices included in a device selection. You can specify one of the existing selections.

        For example, you may want to use this option to run a task on devices with a specific operating system version.

4. Select devices according to the selected task scope option.
5. At the Task scope step, specify an administration group, devices with specific addresses, or a device selection.

   The available settings depend on the option selected at the previous step.

6. In the list of files, click Add.

   The file adding wizard starts.

7. In the Specify the file to move to Quarantine drop-down list, select one of the options and fill in the required fields. To add the file, you must enter the full path to the file, or both file hash and the path.
8. Enter the account credentials of the user whose rights you want to use to run the task. Click Next.

   Note: By default, Kaspersky Endpoint Security starts the task as the system user account (root).

9. At the Finish task creation step, click the Finish button to create the task and close the wizard.

   If you enabled the Open task details when creation is complete option, the task settings window opens. In this window, you can check the task parameters, modify them, or configure a task start schedule, if necessary.

10. Click the new task.

    The task properties window opens.

11. Select the Schedule tab.
12. Configure the task schedule.

    Note: Make sure the computer is turned on to run the task.

13. Click the Save button.
14. To run the task immediately regardless of the configured schedule, do the following:
    1. Select the checkbox next to the task.
15. Click the Run button.

As a result, Kaspersky Endpoint Security moves the file to Quarantine.

The Move file to Quarantine task can finish with the Access denied error if you are trying to quarantine an executable file that is currently running. Create a terminate process task for the file and try again.

The Move file to Quarantine task can finish with the Not enough space in Quarantine storage error if you are trying to quarantine a file that is too large. Free up the disk space and try again.

Page top