Managing the Quarantine

Quarantine is a special storage location on the device for files that may be infected with viruses or cannot be disinfected at the time of detection. Quarantine allows isolating a file for further investigation. Quarantined files are stored in an encrypted form and do not threaten the security of the device. In contrast to Quarantine, Backup stores backup copies of files, in which malicious code was detected and which were deleted or modified during the disinfection process.

The application only uses Quarantine when integrated with Detection and Response solutions to perform recommended threat response actions. When the application is integrated with Kaspersky Endpoint Detection and Response Optimum or with Kaspersky Managed Detection and Response, you can also manually quarantine files that you consider dangerous for your device.

By default, the /var/opt/kaspersky/kesl/common/objects-backup/ directory is used to store quarantined files. This directory also contains Backup objects. You can change the directory for storing Backup and Quarantine objects using the command line.

Quarantined files may contain personal data. Root privileges are required to access quarantined files.

You can configure quarantine settings on a device using a policy in the Web Console or in the Administration Console or using the command line. You can configure the following Quarantine settings:

• The percentage of Quarantine that must be full to generate an event about Quarantine being full. By default, an event is generated when the Quarantine is 90% full.
• Maximum size of the Quarantine in megabytes. When the maximum Quarantine size is reached, the application automatically deletes the oldest quarantined files. By default, the maximum Quarantine size is 200 MB if the application is being used in Standard mode, and 100 MB if the application is being used in Light Agent mode.
• Path to the directory where Backup and Quarantine objects are stored (can only be configured on the command line).

Quarantining files

Some files can be critically important for the operation of the operating system and the application. Quarantining such files can disrupt the operation of the system.

You cannot quarantine System Critical Objects (SCO). SCOs include files that are necessary for the operation of the operating system and the Kaspersky Endpoint Security application.

Placing a file in quarantine is possible only if one of the following conditions is met:

• Integration of Kaspersky Endpoint Security with Kaspersky Endpoint Detection and Response Optimum is enabled and the EDR Optimum component is activated.
• Integration of Kaspersky Endpoint Security with Kaspersky Endpoint Detection and Response (KATA) is enabled and the Kaspersky Anti Targeted Attack Platform solution is activated.
• Integration of Kaspersky Endpoint Security with Kaspersky Managed Detection and Response is enabled and the MDR component is activated.

The directory for storing Backup and Quarantine objects must be writable.

When integrated with Kaspersky Endpoint Detection and Response (KATA), files can be quarantined using a task that is configured on the Kaspersky Endpoint Detection and Response (KATA) side. For more details, see the Kaspersky Anti Targeted Attack Platform Help.

When integrated with Kaspersky Managed Detection and Response, files are quarantined in one of the following ways:

• As a result of the execution of a task configured on the side of Kaspersky Managed Detection and Response.
• As a result of the execution of a command to manage the quarantine on the device.

For more information on working with Quarantine when integrated with Kaspersky Endpoint Detection and Response, see the Kaspersky Endpoint Detection and Response Help.

When integrated with Kaspersky Endpoint Detection and Response, files are quarantined in one of the following ways:

• Automatically as a result of the detection of indicators of compromise.
• As a result of a Quarantine task, which you can create in the Web Console.
• As a result of the execution of a command to manage the quarantine on the device.
• As a result of following the recommendation in the alert details.

For more information on managing the Quarantine when integrated with Kaspersky Endpoint Detection and Response Optimum, see the Kaspersky Endpoint Detection and Response Optimum Help.

Managing quarantined files

You can manage quarantined files:

• In Kaspersky Security Center, in the common list of files quarantined by Kaspersky applications.

  To manage quarantined files in Kaspersky Security Center, you need to enable the transfer of data about quarantined files to the Administration Server.

• Locally on the device using the command line.

You can view information about quarantined files, and delete and restore files from quarantine.

Restoring, deleting, and retrieving a file from Quarantine is available regardless of whether integration with Detection and Response solutions is enabled, and regardless of whether a policy is applied to the device.

The general list of files quarantined by Kaspersky applications on client devices is kept in Kaspersky Security Center and is available in the Administration Console (Advanced → Repositories → Quarantine) and the Web Console (Operations → Repositories → Quarantine). Kaspersky Security Center does not copy files from Quarantine storages to the Administration Server; all files are stored in Quarantine storages on client devices. For detailed information about managing quarantined files in Kaspersky Security Center, refer to the Kaspersky Security Center Help.

The quarantined file is restored to its original location according to the specified settings. Once the restoration process is complete, the application deletes the quarantined copy of the restored file.

Restoring a file from quarantine fails in the following cases:

• The file to be restored was not found in the quarantine storage.
• The name of the file being restored is specified incorrectly or with the wrong case.
• The file ID was specified incorrectly.
• The destination folder has been deleted, moved, renamed, or you do not have access rights to it.

  In this case, the application moves the file to the folder /var/opt/kaspersky/kesl/common/restored/. You can manually move the file from this folder to the desired folder.

• A file with the same name already exists at the specified path.
• The device does not have enough space.

Deleting a file from quarantine fails in the following cases:

• The file to be deleted was not found in the quarantine storage.
• The name of the file being deleted is specified incorrectly or with the wrong case.
• The file ID was specified incorrectly.

In this section Quarantining a file using the Web Console Editing Quarantine settings in the Web Console Editing Quarantine settings in the Administration Console Editing Quarantine settings on the command line Managing quarantined files on the command line Sending information about quarantined files to Kaspersky Security Center

Page top