Restoring a File from Quarantine

A file quarantined by AntiVirus that you know to be safe (false positive) can be manually restored to its source folder or an alternate protected location using the Centralized Quarantine page or the Agent Control Panel on endpoints.

Prerequisites:

  • Ensure the latest version of the AntiVirus definition file is installed on endpoints, as it may contain the definition required to clean the threat detected.
  • Consider submitting the quarantined file you want to restore to Ivanti for further analysis. It may be a new virus or a variant of an existing one.
  • Ensure the file has been in quarantine for at least two AntiVirus definition file updates. Updates occur a minimum of once a day. Files in quarantine are automatically scanned upon update and if cleaned are moved back to their original location.
  • Use the Centralized Quarantine page in the Ivanti Endpoint Security Management Console to check if the same files was quarantined on other endpoints.
  • Consider isolating the endpoints to which the file is to be restored and moving important files to a backup location.

The only quarantined files you should restore are those for which no back-up exists or no copy can be obtained from a trustworthy source, like a vendor. It can be a file that contains important information (for example, a document) or is required to regain the functionality of a program that needs the file to run. The agent places the files in an endpoint's local quarantine, therefore the procedure must be performed through the Agent Control Panel.

Restoring a Quarantined File Using Centralized Quarantine

You can restore a quarantined file from the Ivanti Endpoint Security Management Console, particularly if the same file has been quarantined on several endpoints.

  1. Click Manage > Centralized Quarantine.
  2. Find the file you want to restore.
    Use the filters to search for specific items.
  3. Expand its section to reveal the endpoints the file is quarantined on and additional information.

    4. Use the AV Definition Detected column to ensure the latest version of the AntiVirus definition file is installed on endpoints, as it may contain the definition required to clean the threat detected.

  4. Select the endpoints you want to restore the file to and click Restore.

Restoring a Quarantined File Using the Agent Console

You can restore a quarantined file directly from the endpoint.

  1. Log on to the endpoint and select Start > Control Panel.
  2. Double-click Agent Control Panel.
    The Agent Control Panel opens.
  3. SelectAntiVirus > Quarantinefrom the main menu.
    The Quarantine pane is displayed.
  4. Select a file from the list and then click Save As.
    The Save As dialog opens to the directory where the file originated from.
  5. Navigate to the directory in which you would like to save the file, then click Save. You can not overwrite a file with the same name in the selected location.
    The file is removed from quarantined and returned to the location you specified. A Restored alert message will be generated and can be viewed in Review > Virus and Malware Event Alerts.

After Completing This Task:

  • Monitor the endpoints to which the file was restored for suspicious behavior.
  • Exclude the file from scans if it was an authentic false positive. For more information, see the Ivanti Community Article Excluding files, folders and processes from scans.