Managing the Quarantine

Quarantine is a special storage location on the device for files that may be infected with viruses or cannot be disinfected at the time of detection. Quarantine allows isolating a file for further investigation. In contrast to the Quarantine, Backup stores backup copies of files that were deleted or modified during the disinfection process. If Kaspersky Industrial CyberSecurity for Linux Nodes detects malicious code in a file, such a file is automatically placed in Backup.

The application only uses Quarantine when integrated with Detection and Response solutions to perform recommended threat response actions. When the application is integrated with Kaspersky Industrial CyberSecurity Endpoint Detection and Response, you can also manually quarantine files that you consider dangerous for your device.

Quarantined files are stored in an encrypted form and do not threaten the security of the device. Quarantined files may contain personal data.

Quarantining files

Some files can be critically important for the operation of the operating system and the application. Quarantining such files can disrupt the operation of the system.

You cannot quarantine System Critical Objects (SCO). SCOs include files that are necessary for the operation of the operating system and the Kaspersky Industrial CyberSecurity for Linux Nodes application.

A file can be placed in Quarantine if the following conditions are met:

• The application is integrated with Kaspersky Industrial CyberSecurity Endpoint Detection and Response and/or with Kaspersky Industrial CyberSecurity for Networks.
• The ICS EDR component is activated.

When integrating with Kaspersky Industrial CyberSecurity for Networks, a security officer can use the information about files sent to Kaspersky Industrial CyberSecurity for Networks to send a command to quarantine a file to Kaspersky Industrial CyberSecurity for Linux Nodes using the Kaspersky Industrial CyberSecurity for Networks console. The security officer can also send a command to Kaspersky Industrial CyberSecurity for Linux Nodes to restore a quarantined file.

When integrated with Kaspersky Industrial CyberSecurity Endpoint Detection and Response, you can quarantine a file in the following ways:

• Create and run a Quarantine File task in the Web Console.
• Run the Quarantine management command on the device.
• Follow the recommendation from the alert details.
• A file may also be quarantined automatically as a result of detection of indicators of compromise.

The directory for storing quarantined files must be writable.

The application does not quarantine files larger than 100 MB

Managing quarantined files

You can manage quarantined files:

• In Kaspersky Security Center, in the common list of files quarantined by Kaspersky applications.

  To manage quarantined files in Kaspersky Security Center, you need to enable the transfer of data about quarantined files to the Administration Server.

• Locally on the device using the command line.

You can view information about quarantined files, and delete and restore files from quarantine.

Restoring, deleting, and retrieving a file from Quarantine is available regardless of whether integration with Detection and Response solutions is enabled, and regardless of whether a policy is applied to the device.

The general list of files quarantined by Kaspersky applications on client devices is kept in Kaspersky Security Center and is available in the Administration Console (Advanced → Repositories → Quarantine) and the Web Console (Operations → Repositories → Quarantine). Kaspersky Security Center does not copy files from Quarantine storages to the Administration Server; all files are stored in Quarantine storages on client devices. For detailed information about managing quarantined files in Kaspersky Security Center, refer to the Kaspersky Security Center Help.

The quarantined file is restored to its original location according to the specified settings. Once the restoration process is complete, the application deletes the quarantined copy of the restored file.

Restoring a file from quarantine fails in the following cases:

• The file to be restored was not found in the quarantine storage.
• The name of the file being restored is specified incorrectly or with the wrong case.
• The file ID was specified incorrectly.
• The destination folder has been deleted, moved, renamed, or you do not have access rights to it.

  In this case, the application moves the file to the folder /var/opt/kaspersky/kics/common/restored/. You can manually move the file from this folder to the desired folder.

• A file with the same name already exists at the specified path.
• The device does not have enough space.

Deleting a file from quarantine fails in the following cases:

• The file to be deleted was not found in the quarantine storage.
• The name of the file being deleted is specified incorrectly or with the wrong case.
• The file ID was specified incorrectly.

Managing Quarantine settings

You can configure quarantine settings on a device using a policy in the Web Console or in the Administration Console or using the command line. You can configure the following Quarantine settings:

• The percentage of Quarantine that must be full to generate an event about Quarantine being full. By default, an event is generated when the Quarantine is 90% full.
• Maximum size of the Quarantine in megabytes. When the maximum Quarantine size is reached, the application automatically deletes the oldest quarantined files. By default, the maximum quarantine size is 200 MB.

In this section Quarantining a file using the Web Console Editing Quarantine settings in the Web Console Editing Quarantine settings in the Administration Console Editing Quarantine settings on the command line Managing quarantined files on the command line Sending information about quarantined files to Kaspersky Security Center

Page top