When malicious files are detected and quarantined, the files and registry settings are copied and encrypted into a quarantine folder on the endpoint. The Monitor > Detection Center > Quarantined Detections page in OneView is an index for each item on the endpoint and allows you to restore or delete detected files. This page shows the quarantined detections data for the last 365 days.
While OneView uses its best judgment whether a file is a threat, false positives are possible. You may also find items in quarantine that are legitimate. View detected items and cross-check the information to verify if the file is legitimate with other Threat Intelligence databases, such as VirusTotal, using the SHA256 hash of the file.
While this page shows all quarantined threats across your network, the actual threats remain encrypted on the endpoints where they were found. The quarantine location is a predefined folder on your endpoints:
- Windows endpoints: C:\ProgramData\Malwarebytes\MBAMService\Quarantine
- Mac endpoints: /Library/Application Support/Malwarebytes/NCEP/Quarantine/
- Linux endpoints: /var/lib/mblinux/quarantine
Manage quarantine
In the top-right, click the kebab icon for to access the Actions menu of the Quarantined Detections page.
- Download .csv: Export a report in .csv format containing the selected rows of data.
-
Download .xlsx: Export a report in .xlsx format containing the selected rows of data.
- If the data size is too large to download, an email will be sent instead with a link to download the export.
-
Restore: Restore the selected files from quarantine.
Note: When restoring quarantined files from a USB device, the device must remain plugged in. - Create exclusion: Create exclusions on the selected quarantined items. All user roles are able to create exclusions with the exception of viewers. For more information on exclusions, see Overview of exclusions in OneView.
- Restore & Create exclusion: Restore and create exclusions on the selected quarantined items.
- Delete: Delete the files from quarantine. This action cannot be undone and files cannot be restored once deleted.
Quarantine data
The following columns are available on the Quarantined Detections page:
- Category: Category of quarantined threat, such as malware or ransomware. Filter by malware, PUP, PUM, and ransomware.
- Date: Date and time the threat was quarantined.
- Device: USB device the threat was quarantined from.
- Endpoint: Endpoint the file was quarantined from.
- Location: File path of quarantined threat.
- Site: The OneView site of the endpoint.
- Threat name: Name of the quarantined threat.
- Type: Type of threat, such as file or registry key. Filter by extension, file, folder, module, other, process, registry key, or registry value.
Click Add / Remove Columns to choose which columns to display.
Expand detection details
Under the Threat Name column, click one of the listed detection names to view more details. In the Detection Details window, you can view the following information:
- Category: The protection triggered by the detection. Filter by malware, PUP, PUM, and ransomware.
- Type: The type of detection, such as a file or outbound connection. Filter by extension, file, folder, module, other, process, registry key, or registry value.
- Action taken: The current status of the detection, such as Found, Quarantined or Blocked.
- Endpoint: Click the endpoint name to go to the Overview page of the endpoint.
- Last user: The last user logged into the endpoint.
- Location: The location of the detection on the endpoint. Contents change with the type of detection.
- MD5 Hash: Cryptographically generated unique number identifying a file. May show as empty if a file was not present. Use as a key to search in Flight Recorder or to search external threat intelligence sites such as: www.virustotal.com
- SHA256 Hash: Cryptographically generated unique number identifying a file. May show as empty if a file was not present. Use as a key to search in Flight Recorder or to search external threat intelligence sites such as: www.virustotal.com
-
IP Address: If the detection is a Malicious Website, this field shows the website's IP Address.
- Port: If the detection is a Malicious Website, this field shows the port the connection used.
- Process Name: The file path of the process.
- Scanned At: The date and time the detection was scanned.
- Quarantined At: The date and time the detection was quarantined.
- Reported At: The time and date OneView reported the detection.
- Scan ID: The unique identifier of the scan for the detection.
- Detection Name: Click the name to open a glossary explanation of the detection.
- Domain: If the detection is a Malicious Website, this field shows the web URL.
- Group Name: Click the name of the group to view the endpoints that belong to the same group.
- Policy Name: Click the name of the policy to view the endpoints using the same policy.
- Detection history; Shows the history of the threat on the specific endpoint.
The available information in the window varies between types and how they are detected.
Filter and sort data
The Quarantined Detections table helps you manage the available information more efficiently. The following features are available on the table:
-
Filter results: Next to a column header, click the filter icon
to narrow the results. When clicking on the filter icon, the filter list at the top of the screen shows which filters are applied. Click on a filtered item to remove it, or Reset filters
to go back tot he default filter settings.
- Customize table columns: In the top-right of the table, click Add / Remove Columns to customize the table columns.
-
Column pinning and auto-sizing: Next to a column header, click the hamburger menu button
to display a checkbox list of different sub-filters you can apply. Click the hamburger menu button
- Right-click menu: In the table, click and drag to select and highlight a table section. Right-click on your selected information to copy or export a .csv or an .xlsx file.
- Select all: Click the checkbox next to the Threat name column header.