How to use Quarantine in GravityZone
Bitdefender GravityZone provides full visibility into organizations' overall security posture, global security threats, and control over its security services that protect virtual or physical desktops, servers and mobile devices. All Bitdefender's Enterprise Security solutions are managed within the GravityZone through a single console, Control Center, that provides control, reporting, and alerting services for various roles within the organization.
This article describes how GravityZone quarantine works and how to restore, delete and download quarantine files.
- Restoring Quarantined Files
- Automatic Deletion of Quarantined Files
- Deleting Quarantined Files
- Downloading Quarantined Files in VMware Environments Integrated with vShield Endpoint
By default, the GravityZone security services isolate suspicious files and the malware-infected files that cannot be disinfected in a secure area named quarantine. When a virus is in quarantine it cannot do any harm because it cannot be executed or read.
Important: Quarantine is only available in Security for Physical Endpoints and Security for Virtualized Environments.
The behavior of the quarantine is different for each component:
- Security for Physical Endpoints stores the quarantined files on each managed computer. Using Control Center you have the option to either delete or restore specific quarantined files.
- Security for Virtualized Environments (Multi-Platform) stores the quarantined files on each managed virtual machine. Using Control Center you have the option to either delete or restore specific quarantined files.
- Security for Virtualized Environments (integrated with VMware vShield Endpoint) stores the quarantined files on the Security Server appliance. Using Control Center you have the optionto delete quarantined files or download them to a location of your choice.
- Security for Exchange stores the quarantined files on the exchange server.
By default, quarantined files are automatically sent to Bitdefender Labs in order to be analyzed by the Bitdefender malware researchers. If malware presence is confirmed, a signature is released to allow removing the malware.
In addition, quarantined files are scanned after each malware signature update. Cleaned files are automatically moved back to their original location.
Control Center provides detailed information on all files moved to quarantine on the network objects managed from your account.
To check and manage quarantined files, go to the Quarantine page and choose the desired network object from the service selector.
Information about quarantined files is displayed in a table. You are provided with the following information:
To make sure the latest information is being displayed, click the Refresh button in the bottom-left corner of the table. This may be needed when you spend more time on the page.
On particular occasions, you may need to restore quarantined files, either to their original location or to an alternate location. One such situation is when you want to recover important files stored in an infected archive that has been quarantined.
To restore one or more quarantined files:
By default, quarantined files older than 30 days are automatically deleted. This setting can be changed by editing the policy assigned to the managed network objects.
To change the automatic deletion interval for quarantined files:
If you want to delete quarantined files manually, you should first make sure the files you choose to delete are not needed. Use these tips when deleting quarantined files:
To delete one or more quarantined files:
If you want to examine or recover data from quarantined files, you can download them from the Security Server using Control Center. Quarantined files are downloaded as an encrypted, password-protected ZIP archive to prevent accidental malware infection. To open the archive and extract its content, you must use the Quarantine Tool.
Quarantine Tool is a standalone application that does not require installation. Two versions are available: one for Windows and the other for Linux.
Warning: Use caution when extracting the quarantined files because they can infect your system. It is recommended to extract and analyze the quarantined files on a test or isolated system, preferably running on Linux. Malware infections are easier to contain on Linux.
To download quarantined files to your computer:
To access the quarantined files:
- The name of network object the threat was detected on.
- The IP of network object the threat was detected on.
- Path to the infected or suspicious file on the network object it was detected on.
- Name given to the malware threat by the Bitdefender security researchers.
- Time when the file was quarantined.
Pending action requested by administrator to be taken on the quarantined file.
- Go to the Quarantine page
Choose the desired network object from the service selector.
Note: Restoring quarantined files is only possible in environments protected by Security for Endpoints and Security for Virtualized Environments (Multi-Platform).
- Select the check boxes corresponding to the quarantined files you want to restore.
- Click the Restore button at the right side of the table.
Choose the location where you want the selected files to be restored (either the original or a custom location on the target computer).
If you choose to restore to a custom location, you must enter the path in the corresponding field. It is advisable to use system variables (where appropriate) to make sure the path is valid on all target computers.
- Click Restore to request the file restore action. You can notice the pending action in the Action column.
- The requested action is sent to the target computers immediately or as soon as they get back online. Once a file is restored, the corresponding entry will disappear from the Quarantine table.
- Go to the Policies page.
- Find the policy assigned to the network objects on which you want to change the setting and click its name.
- Go to the Antimalware > Settings > Quarantine section.
- Select the desired automatic deletion period from the menu.
- Click Save to save changes.
- A file may actually be the malware itself. If your research leads you to such a situation, you can search the quarantine for the specific threat and delete it from quarantine.
You can safely delete:
- Unimportant archive files
- Infected setup files
- Go to the Quarantine page.
- Choose the desired network object from the service selector.
- Check the list of quarantined files and select the check boxes corresponding to the ones you want to delete.
- Click the Delete button at the right side of the table. You can notice the pending action in the Action column.
- The requested action is sent to the target network objects immediately or as soon as they get back online. Once a file is deleted, the corresponding entry will disappear from the Quarantine table.
- The Windows version runs on Windows XP or later.
- The Linux version runs on recent versions of most 32-bit Linux distributions with graphicaluser interface (GUI). The tool is compatible with any desktop environment. Note that Quarantine Tool for Linux does not have command line interface.
- Go to the Quarantine page.
- Choose Virtual Machines from the service selector.
- Select the files you want to download.
Click the Download button at the right side of the Quarantine table.
Depending on your browser settings, the files may be downloaded automatically to a default download location.
- Download the appropriate Quarantine Tool for your computer from the following addresses:
- Open Quarantine Tool (for example, by double-clicking it).
Open the archive containing the quarantined files in Quarantine Tool by doing any of the following:
- From the File menu, choose Open.
- Click the Open icon on the toolbar.
- Use the Ctrl+O keyboard shortcut.
- Before extracting the archived files, if on-access antimalware scan is enabled on the system, make sure to either completely disable it or configure a scan exclusion for the location where you will extract the files. Otherwise, your antimalware program will detect and take action on extracted files.
Extract the archived files to the location of your choosing by doing any of the following:
- From the File menu, choose Extract.
- Click the Extract icon on the toolbar.
- Use the Ctrl+E keyboard shortcut.