Quarantine is a storage area on endpoints that isolates infected and suspicious files that cannot be cleaned or
deleted at time of detection. Files are prevented from running through encryption, which counters any threats posed by viruses
and malware.
The types of files sent to quarantine, when
Attempt to clean then quarantine (default) or
Attempt
to clean then quarantine then delete are set during scan configuration, are:
- Files AntiVirus was unable to disinfect.
- False positive detections in the rare cases when AntiVirus mistakes legitimate files for viruses because they contain viral code patterns.
When a file that needs to be isolated is detected, it is moved to the endpoint’s
\LMAgent\Data\persist\AV\quarantine folder and a Virus
and Malware Event Alert of "Quarantined" is generated. Quarantined files can be viewed and
managed in two ways:
On the Endpoint |
Quarantine pane of the Agent Control Panel. Actions that can
be performed are :
- Delete
- Removes the infected file permanently from the endpoint.
- Save As
- Enables you to move a file back to its original location or another location
(for example, for submitting to Ivanti for analysis).
Choose this action for a file you believe was incorrectly detected as
infected.
|
On the Ivanti Device and Application Control Console |
Centralized Quarantine page provides a network-wide view of all files quarantined
on endpoints. Actions that can be performed are:
- Scan now
- Runs an immediate AntiVirus scan on the endpoints you select.
- Delete
- Removes the infected file permanently from the endpoints you select.
- Restore
- Move a file back to its original location on the endpoints that you select.
|
AntiVirus scans quarantined files after each virus definition update. Cleaned files are automatically
moved back to their original location, if no file with the same name is already present.
Quarantine related activity can be viewed on the Endpoints with Unresolved AV
Alerts dashboard widget, which displays the number of endpoints with unresolved
AntiVirus event alerts. There are two types of unresolved antivirus event
alerts: not cleaned and quarantined.