Move file to Quarantine

When reacting to threats, Kaspersky Endpoint Detection and Response can create Move file to Quarantine tasks. This is necessary to minimize the consequences of the threat. Quarantine is a special local storage on the computer. The user can quarantine files that the user considers dangerous for the computer. Quarantined files are stored in an encrypted state and do not threaten the security of the device. Kaspersky Endpoint Security uses Quarantine only when working with Detection and Response solutions: EDR Optimum, EDR Expert, KATA (EDR), Kaspersky Sandbox. In other cases Kaspersky Endpoint Security places the relevant file in Backup. For details on managing Quarantine as part of solutions, please refer to the Kaspersky Sandbox Help, Kaspersky Endpoint Detection and Response Optimum Help, and Kaspersky Endpoint Detection and Response Expert Help, Kaspersky Anti Targeted Attack Platform Help.

You can create Move file to Quarantine tasks in the following ways:

The Move file to Quarantine task has the following limitations:

  1. The file size must not exceed 100 MB.
  2. System Critical Objects (SCO) cannot be quarantined. SCOs are files that the operating system and the Kaspersky Endpoint Security for Windows application require to be able to run.
  3. You can configure the task for EDR Optimum in Web Console and Cloud Console. Task settings for EDR Expert are available only in Cloud Console.

To create a Move file to Quarantine task:

  1. In the main window of the Web Console, select DevicesTasks.

    The list of tasks opens.

  2. Click Add.

    The Task Wizard starts.

  3. Configure the task settings:
    1. In the Application drop-down list, select Kaspersky Endpoint Security for Windows (12.7).
    2. In the Task type drop-down list, select Move file to Quarantine.
    3. In the Task name field, enter a brief description.
    4. In the Select devices to which the task will be assigned block, select the task scope.
  4. Select devices according to the selected task scope option. Click Next.
  5. Enter the account credentials of the user whose rights you want to use to run the task. Click Next.

    By default, Kaspersky Endpoint Security starts the task as the system user account (SYSTEM).

  6. Finish the wizard by clicking the Finish button.

    A new task will be displayed in the list of tasks.

  7. Click the new task.

    The task properties window opens.

  8. Select the Application settings tab.
  9. In the list of files, click Add.

    The file adding wizard starts.

  10. To add the file, you must enter the full path to the file, or both file hash and the path.

    If the file is located on a network drive, enter the file path starting with \\, and not the drive letter. For example, \\server\shared_folder\file.exe. If the file path contains a network drive letter, you can get a File not found error.

  11. In the task properties window, select the Schedule tab.
  12. Configure the task schedule.

    Wake-on-LAN is not available for this task. Make sure the computer is turned on to run the task.

  13. Click the Save button.
  14. Select the check box next to the task.
  15. Click Start.

As a result, Kaspersky Endpoint Security moves the file to Quarantine.

If the file is locked by a different process, the task is displayed as Completed, but the file itself is quarantined only after the computer is restarted. After restarting the computer, confirm that the file is deleted.

The Move file to Quarantine task can finish with the Access denied error if you are trying to quarantine an executable file that is currently running. Create a terminate process task for the file and try again.

The Move file to Quarantine task can finish with the Not enough space in Quarantine storage error if you are trying to quarantine a file that is too large. Empty the Quarantine or make Quarantine larger. Then try again.

You can restore a file from Quarantine or empty the Quarantine using Web Console. You can restore objects locally on the computer using the command line.

Page top