Move file to Quarantine

When reacting to threats, Kaspersky Endpoint Detection and Response can create Move file to Quarantine tasks. This is necessary to minimize the consequences of the threat. Quarantine is a special local storage on the computer. The user can quarantine files that the user considers dangerous for the computer. Quarantined files are stored in an encrypted state and do not threaten the security of the device. Kaspersky Endpoint Security uses Quarantine only when working with Detection and Response solutions: EDR Optimum, EDR Expert, KATA (EDR), Kaspersky Sandbox. In other cases Kaspersky Endpoint Security places the relevant file in Backup. For details on managing Quarantine as part of solutions, please refer to the Kaspersky Sandbox Help, Kaspersky Endpoint Detection and Response Optimum Help, and Kaspersky Endpoint Detection and Response Expert Help, Kaspersky Anti Targeted Attack Platform Help.

You can create Move file to Quarantine tasks in the following ways:

• In alert details (only for EDR Optimum).

  Alert Details is a tool for viewing the entirety of collected information about a detected threat. Alert details include, for example, the history of files appearing on the computer. For details about managing alert details, refer to the Kaspersky Endpoint Detection and Response Optimum Help and the Kaspersky Endpoint Detection and Response Expert Help.

• Using the Task Wizard.

  You must enter the file path or hash (SHA256 or MD5), or both the file path and the file hash.

The Move file to Quarantine task has the following limitations:

1. The file size must not exceed 100 MB.
2. System Critical Objects (SCO) cannot be quarantined. SCOs are files that the operating system and the Kaspersky Endpoint Security for Windows application require to be able to run.
3. You can configure the task for EDR Optimum in Web Console and Cloud Console. Task settings for EDR Expert are available only in Cloud Console.

To create a Move file to Quarantine task:

1. In the main window of the Web Console, select Devices → Tasks.

   The list of tasks opens.

2. Click the Add button.

   The Task Wizard starts.

3. Configure the task settings:
   1. In the Application drop-down list, select Kaspersky Endpoint Security for Windows (12.2).
   2. In the Task type drop-down list, select Move file to Quarantine.
   3. In the Task name field, enter a brief description.
   4. In the Select devices to which the task will be assigned block, select the task scope.
4. Select devices according to the selected task scope option. Click the Next button.
5. Enter the account credentials of the user whose rights you want to use to run the task. Click the Next button.

   By default, Kaspersky Endpoint Security starts the task as the system user account (SYSTEM).

6. Finish the wizard by clicking the Finish button.

   A new task will be displayed in the list of tasks.

7. Click the new task.

   The task properties window opens.

8. Select the Application settings tab.
9. In the list of files, click Add.

   The file adding wizard starts.

10. To add the file, you must enter the full path to the file, or both file hash and the path.

    If the file is located on a network drive, enter the file path starting with \\, and not the drive letter. For example, \\server\shared_folder\file.exe. If the file path contains a network drive letter, you can get a File not found error.

11. In the task properties window, select the Schedule tab.
12. Configure the task schedule.

    Wake-on-LAN is not available for this task. Make sure the computer is turned on to run the task.

13. Click the Save button.
14. Select the check box next to the task.
15. Click the Run button.

As a result, Kaspersky Endpoint Security moves the file to Quarantine. If the file is locked by a different process, the task is displayed as Completed, but the file itself is quarantined only after the computer is restarted. After restarting the computer, confirm that the file is deleted.

The Move file to Quarantine task can finish with the Access denied error if you are trying to quarantine an executable file that is currently running. Create a terminate process task for the file and try again.

The Move file to Quarantine task can finish with the Not enough space in Quarantine storage error if you are trying to quarantine a file that is too large. Empty the Quarantine or make Quarantine larger. Then try again.

You can restore a file from Quarantine or empty the Quarantine using Web Console. You can restore objects locally on the computer using the command line.

Page top