Managing the backup/quarantine area

The Advanced EDR quarantine is a backup area that stores items that have been deleted after being classified as a threat.

Quarantined items are stored on each user computer, in the Quarantine folder located in the software installation directory. This folder is encrypted and cannot be accessed by any other process. It is therefore not possible to directly access or run the programs there, unless it is through the web console.

The quarantine feature supports Windows, macOS, and Linux platforms.

The Cytomic Labs department at Cytomic determines the action to take in accordance with the classification and type of each item detected. As such, there are these scenarios:

  • Malicious items that cannot be disinfected: They are kept in quarantine permanently.

  • Malicious items that can be disinfected: Virus-type malware is disinfected and the file is restored to its original location. A copy of the file is kept in quarantine for 30 days.

  • Non-malicious, restored items: If goodware is incorrectly classified as malware (false positive), it is automatically restored from quarantine to its original location. A copy of the file is kept in quarantine for 7 days.

  • Suspicious items: They are kept in quarantine for 30 days. If they turn out to be goodware, they are automatically restored to their original location.

Advanced EDR does not permanently remove deleted files from the computer. Deleted files move to the backup area.

Viewing quarantined items

To view a list of items sent to quarantine:

  • From the top menu, select Status. From the side panel, select Security.

  • Click the relevant panel according to the type of item you want to view:

    • Malware activity.

    • PUP activity.

    • Exploit activity.

  • In the list filters, select the Quarantined and Deleted checkboxes in the Action filter. Click Filter.

Restoring items from quarantine

  • From the top menu, select Status. From the side panel, select Security.

  • Click the relevant panel according to the type of item you want to restore from quarantine:

    • Malware activity

    • PUP activity

    • Exploit activity

  • From the list, select a threat whose Action field is Quarantined or Disinfected.

  • Click the icon in the Action field. A dialog box opens that explains why the item was moved to quarantine.

  • Click the Restore and do not detect again link. The item is moved to its original location. The permissions, owner, and registry entries related to the file are also restored.