## ON PREMISES SOLUTIONS

### Quarantine

The quarantine is an encrypted folder that contains potentially malicious files, such as malware-suspected, malware-infected or other unwanted files. When a virus or other form of malware is in quarantine, it cannot do any harm because it cannot be executed or read.

GravityZone moves files to quarantine according to the policies assigned to endpoints. By default, files that cannot be disinfected are quarantined.

The quarantine is saved locally on each endpoint, except for the VMware vCenter Server integrated with vShield Endpoint and with NSX, where it is saved on the Security Server.

By default, quarantined files are automatically sent to Bitdefender Labs to be analyzed by the Bitdefender malware researchers. If malware presence is confirmed, a signature is released to allow removing the malware. In addition, quarantined files are scanned after each malware signature update. Cleaned files are automatically moved back to their original location. These features are relative to each security policy on the Policies page and you can choose whether to keep or deactivate them. For more information, refer to Quarantine.

### Important

• Quarantine is not available for mobile devices.

• Availability and functioning of this feature may differ depending on the license included in your current plan.

#### Exploring the Quarantine page

The Quarantine page provides detailed information regarding the quarantined files from all endpoints you manage. For more information about the quarantined items detected on Exchange mail servers refer to Exchange Protection.

The Computers and Virtual Machines quarantine page contains information about items detected directly in the endpoints file system.

Information about quarantined files is displayed in a table. Depending on the number of managed endpoints and the infection degree, the Quarantine table can include a large number of entries. The table can span several pages (by default, only 20 entries are displayed per page).

To move through the pages, use the navigation buttons at the bottom of the table. To change the number of entries displayed on a page, select an option from the menu next to the navigation buttons.

For better visibility of the data you are interested in you can use the available filters. For example, you can search for a specific threat detected in the network by typing the threat name in the search bar of the filter. You can also click the column headers to sort data by a specific column.

The quarantine table provides you with the following information:

• The name of endpoint the threat was detected on.

• IP of the endpoint the threat was detected on.

• Path to the infected or suspicious file on the endpoint it was detected on.

• Name given to the malware threat by the Bitdefender security researchers.

• The date and time when the file was quarantined.

• The status of the action requested to be taken on the quarantined file.

To make sure the latest information is being displayed, click the Refresh button on the lower right side of the table. This may be needed when you spend more time on the page.

#### Managing the quarantined files

The behavior of the quarantine is different for each environment:

• Security for Endpoints stores the quarantined files on each managed computer. Using Control Center you have the option to either delete or restore specific quarantined files.

• Security for Virtualized Environments (Multi-platform) stores the quarantined files on each managed virtual machine. Using Control Center you have the option to either delete or restore specific quarantined files.

• Security for Virtualized Environments (integrated with VMware vShield Endpoint or NSX) stores the quarantined files on the Security Server appliance. Using Control Center you have the option to delete quarantined files or download them to a location of your choice.

##### Restoring quarantined files

On particular occasions, you may need to restore quarantined files, either to their original location or to an alternate location. One such situation is when you want to recover important files stored in an infected archive that has been quarantined.

### Note

Restoring quarantined files is only possible in environments protected by Security for Endpoints and Security for Virtualized Environments (Multi-Platform).

To restore one or more quarantined files:

1. Go to the Quarantine page.

2. Choose Computers and VMs.

3. Select the check boxes corresponding to the quarantined files you want to restore.

4. Click the Restore button on the upper side of the table.

5. Choose the location where you want the selected files to be restored (either the original or a custom location on the target computer).

If you choose to restore to a custom location, you must enter the absolute path in the corresponding field.

6. Click Save. You can notice the pending status in the Action status column.

The requested action is sent to the target endpoints immediately or as soon as they get back online.You can view details regarding the action status in the Tasks page. Once a file is restored, the corresponding entry will disappear from the Quarantine table.

##### Adding exclusions for quarantined files

To exclude a quarantined file:

1. Go to the Quarantine page.

2. Choose Computers and VMs.

3. Select the checkbox corresponding to the quarantined file you want to exclude.

4. Click the Add exclusions button on the upper side of the table and confirm your action. The exclusion is automatically created and displayed in the Exclusions list from the Configuration Profiles page.

In VMware virtualized environments integrated with vShield Endpoint or NSX, the quarantine is saved on the Security Server. If you want to examine or recover data from quarantined files, you must download them from the Security Server using Control Center. Quarantined files are downloaded as an encrypted, password-protected ZIP archive to prevent accidental malware infection.

To open the archive and extract its content, you must use the Quarantine Tool, a Bitdefender standalone application that does not require installation.

Quarantine Tool is available for the following operating systems:

• Most Linux 32-bit distributions with a graphical user interface (GUI).

### Note

Quarantine Tool does not have a command line interface.

### Warning

Use caution when extracting the quarantined files because they can infect your system. It is recommended to extract and analyze the quarantined files on a test or isolated system, preferably running on Linux. Malware infections are easier to contain on Linux.

1. Go to the Quarantine page.

2. Choose Computers and VMs.

3. Filter the table data by entering the Security Server hostname or IP address in the corresponding field from the table header.

If the quarantine is large, to view the files you are interested in, you may need to apply additional filters or increase the number of files listed per page.

4. Select the check boxes corresponding to the files you want to download.

To access the restored files:

### Note

Quarantine Tool for Linux is archived in a tar file.

2. Run the Quarantine Tool executable file.

3. On the File menu, click Open (CTRL+O) or click the Open button to load the archive into the tool.

Files are organized in the archive by virtual machine they were detected on and preserving their original path.

4. Before extracting the archived files, if on-access antimalware scan is enabled on the system, make sure to either disable it or configure a scan exclusion for the location where you will extract the files. Otherwise, your antimalware program will detect and take action on extracted files.

5. Select the files you want to extract.

6. On the File menu, click Extract (CTRL+E) or click the Extract button.

7. Select the destination folder. The files are extracted at the selected location, preserving the original folder structure.

##### Automatic deletion of quarantined Files

By default, quarantined files older than 30 days are automatically deleted. This setting can be changed by editing the policy assigned to the managed endpoints.

To change the automatic deletion interval for quarantined files:

1. Go to the Policies page.

2. Find the policy assigned to the endpoints on which you want to change the setting and click its name.

3. Go to the Antimalware > Settings page.

4. In the Quarantine section, select the number of days after which files are being deleted.

5. Click Save to apply changes.

##### Manual deletion of quarantined files

If you want to manually delete quarantined files, you should first make sure the files you choose to delete are not needed.

A file may actually be the malware itself. If your research leads you to such a situation, you can search the quarantine for the specific threat and delete it from the quarantine.

To delete one or more quarantined files:

1. Go to the Quarantine page.

2. Select Computers and VMs.

3. Select the check boxes corresponding to the quarantined files you want to delete.

4. Click the Actions button at the upper side of the table and select Delete. Click Yes to confirm your action.

You can notice the pending status in the Action status column.

The requested action is sent to the target network objects immediately or as soon as they get back online. Once a file is deleted, the corresponding entry will disappear from the Quarantine table.

##### Emptying the Quarantine

To delete all the quarantined objects:

1. Go to the Quarantine page.

2. Select Computers and VMs.

3. Click the Actions button and select Empty Quarantine.

Click Yes to confirm your action.

All the entries from the Quarantine table are cleared. The requested action is sent to the target network objects immediately or as soon as they get back online.

#### Accessing and restoring quarantined files in VMware environments integrated with NSX

This document is meant to help you understand the procedure of restoring quarantined files in VMware environments integrated with NSX.

##### Overview

By default, the GravityZone security services isolate suspicious files and the malware-infected files that cannot be disinfected in a secure area named quarantine. When a virus is in quarantine it cannot do any harm because it cannot be executed or read.

In a virtualized environment protected by Security for Virtualized Environments (Multi-Platform), Bitdefender GravityZone offers the possibility to restore quarantined files to their original location directly from the Control Center interface.

In virtualized environments integrated with NSX, on the other hand, quarantined files are not stored on the virtual machines, but on the Security Server appliance. Consequently, for this type of environment, you cannot restore quarantined files automatically from Control Center.

If you want to examine or recover data from quarantined files, you can download them from the Security Server using Control Center. Quarantined files are downloaded as an encrypted, password-protected ZIP archive to prevent accidental malware infection.

To open the archive and extract its content, you must use the Quarantine Tool.

Quarantine Tool is a standalone application that does not require installation. Two versions are available: one for Windows and the other for Linux.

• The Windows version runs on Windows XP or later.

• The Linux version runs on recent versions of most 32-bit Linux distributions with graphical user interface (GUI). The tool is compatible with any desktop environment. Note that Quarantine Tool for Linux does not have command line interface.

2. Go to the Quarantine page.

3. Choose Virtual Machines from the service selector.

5. Click the Download button at the right side of the Quarantine table.

##### Accessing and restoring quarantined files

To access the quarantined files:

1. Open Quarantine Tool (for example, by double-clicking it).

2. Open the archive containing the quarantined files in Quarantine Tool by doing any of the following:

• From the File menu, choose Open.

• Click the Open icon on the toolbar.

• Use the Ctrl+O keyboard shortcut.

Files are organized in the archive by virtual machine they were detected on and preserving their original path.

3. Before extracting the archived files, if on-access antimalware scan is enabled on the system, make sure to either completely disable it or configure a scan exclusion for the location where you will extract the files. Otherwise, your antimalware program will detect and take action on extracted files.

4. Extract the archived files to the location of your choosing by doing any of the following:

• From the File menu, choose Extract.

• Click the Extract icon on the toolbar.

• Use the Ctrl+E keyboard shortcut.

To restore the files to their original location, you need to manually transfer them to the location on the virtual machine they were detected on after you save them on your computer.