Skip to main content

Quarantined Detections page in Nebula

Updated: 

When malicious files are detected, they are copied, encrypted, and stored in a quarantine folder on the endpoint. The Quarantined Detections page in Nebula indexes these items and allows you to restore or delete them. Items remain until deleted, either manually or through the automatic deletion policy setting. For more information on the policy setting, see Scan policy settings in Nebula.

False positives are possible. Cross-check any suspicious detections against threat intelligence databases like VirusTotal using the file's SHA256 hash. If ThreatDown identifies a critical false positive, we may distribute an unquarantine command to automatically restore the affected file.

Navigate to Monitor > Detection Center > Quarantined Detections to view all quarantined threats across your network. Note that threats remain encrypted on the endpoints where they were detected. The quarantine location is a predefined folder on your endpoints:

  • Windows endpoints: C:\ProgramData\Malwarebytes\MBAMService\Quarantine
  • Mac endpoints: /Library/Application Support/Malwarebytes/NCEP/Quarantine/
  • Linux endpoints: /var/lib/mblinux/quarantine

Manage quarantine

The following options are available in the Actions menu of the Quarantined Detections page.

  • Delete: Submits a task to the endpoint to permanently delete the encrypted quarantined items. 
  • Restore: Moves the item from Quarantine back to its original location on the endpoint. If the device you're restoring a quarantined file to is a USB device, it must be connected to the same endpoint it was quarantined from. Use this for items you know are legitimate.
  • Restore & Create Exclusion: Restore and create exclusions on the selected quarantined items. 
  • Create Exclusions: Create exclusions on the selected quarantined items. Only Super Admins can create exclusions. For more information on exclusions, see Overview of exclusions in Nebula.
  • Download .csv: Export a report in .csv format containing the selected rows of data.
  • Download .xlsx: Export a report in .xlsx format containing the selected rows of data.
    • If the data size is too large to download, an email will be sent instead with a link to download the export.

Quarantine data

The following columns are available on the Quarantined Detections page:

  • Category: Category of quarantined threat, such as malware or ransomware. Filter by malware, PUP, PUM, and ransomware. 
  • Date: Date and time the threat was quarantined.
  • Device: USB device the threat was quarantined from. 
  • Endpoint: Endpoint the file was quarantined from.
  • First Created: Date the file or folder was first created. 
  • Last Modified: Date the file or folder was last modified. 
  • Location: File path of quarantined threat.
  • Threat name: Name of the quarantined threat.
  • Type: Type of threat, such as file or registry key. Filter by extension, file, folder, module, other, process, registry key, or registry value.

Click Add / Remove Columns to choose which columns to display. 

Expand quarantine details

Under the Threat Name column, click one of the listed file names to view more details. In the Quarantine Details window, you can view the following information:

  • Category: The protection triggered by the detection. Filter by malware, PUP, PUM, and ransomware. 
  • Type: The type of detection, such as a file or outbound connection. Filter by extension, file, folder, module, other, process, registry key, or registry value.
  • Action taken: The current status of the detection, such as Found, Quarantined or Blocked.
  • Endpoint: Click the endpoint name to go to the Overview page of the endpoint.
  • Last user: The last user logged into the endpoint.
  • Location: The location of the detection on the endpoint. Contents change with the type of detection. 
  • First Created: Date the file or folder was first created. 
  • Last Modified: Date the file or folder was last modified. 
  • MD5 Hash: Cryptographically generated unique number identifying a file. May show as empty if a file was not present. Use as a key to search in Flight Recorder or to search external threat intelligence sites such as: www.virustotal.com
  • SHA256 Hash: Cryptographically generated unique number identifying a file. May show as empty if a file was not present. Use as a key to search in Flight Recorder or to search external threat intelligence sites such as: www.virustotal.com
  • IP Address: If the detection is a Malicious Website, this field shows the website's IP Address.
  • Port: If the detection is a Malicious Website, this field shows the port the connection used.
  • Process Name: The file path of the process.
  • Scanned At: The date and time the detection was scanned.
  • Quarantined At: The date and time the detection was quarantined.
  • Reported At: The time and date Nebula reported the detection.
  • Scan ID: The unique identifier of the scan for the detection.
  • Detection Name: Click the name to open a glossary explanation of the detection.
  • Domain: If the detection is a Malicious Website, this field shows the web URL.
  • Group Name: Click the name of the group to view the endpoints that belong to the same group.
  • Policy Name: Click the name of the policy to view the endpoints using the same policy.
  • Detection history; Shows the history of the threat on the specific endpoint.
  • Auto-removal Date: When the item will be deleted from quarantine based on the endpoint's automatic quarantine deletion policy setting. 

The available information in the window varies between types and how they are detected.

Filter and sort data

Use the following features to filter and sort data on the Quarantined Detections page:

  • Filter results: Next to a column header, click the filter icon 2020-04-16_9-24-12__3_.png to narrow the results. When clicking on the filter icon, the filter list at the top of the screen shows which filters are applied. Click on a filtered item to remove it, or Clear Filters to remove them all. 
  • Column pinning and auto-sizing: Next to a column header, click the hamburger menu button 2020-08-06_13-31-16__1_.png to display a checkbox list of different sub-filters you can apply. Click the hamburger menu button2020-08-06_13-31-16__1_.png to pin or auto size for the selected column.
  • Right-click menu: In the table, click and drag to select and highlight a section of the table. Right-click on your selected information to copy the cells and information.
  • Select all: Click the checkbox next to the Threat name column header.

Still have questions?

Support is available via chat, phone or by creating a ticket. You can also use our virtual assistant for guided assistance.

Learn more