Understanding Quarantine

Quarantine is a storage area on endpoints that isolates infected and suspicious files that cannot be cleaned or deleted at time of detection. Files are prevented from running through encryption, which counters any threats posed by viruses and malware.

The types of files sent to quarantine, when Attempt to clean then quarantine (default) or Attempt to clean then quarantine then delete are set during scan configuration, are:

  • Files AntiVirus was unable to disinfect.
  • False positive detections in the rare cases when AntiVirus mistakes legitimate files for viruses because they contain viral code patterns.

When a file that needs to be isolated is detected, it is moved to the endpoint’s \LMAgent\Data\persist\AV\quarantine folder and a Virus and Malware Event Alert of "Quarantined" is generated. Quarantined files can be viewed and managed in two ways:

On the Endpoint

Quarantine pane of the Agent Control Panel. Actions that can be performed are:

  • Delete: Removes the infected file permanently from the endpoint.
  • Save As: Enables you to move a file back to its original location or another location (for example, for submitting to Ivanti for analysis).
    Choose this action for a file you believe was incorrectly detected as infected.

On the Ivanti Endpoint Security Management Console

Centralized Quarantine page provides a network- wide view of all files quarantined on endpoints. Actions that can be performed are:

  • Scan now: Runs an immediate AntiVirus scan on the endpoints you select.
  • Delete: Removes the infected file permanently from the endpoints you select.
  • Restore: Move a file back to its original location on the endpoints that you select.

AntiVirus scans quarantined files after each virus definition update. Cleaned files are automatically moved back to their original location, if no file with the same name is already present.

Quarantine related activity can be viewed on the Endpoints with Unresolved AV Alerts dashboard widget, which displays the number of endpoints with unresolved AntiVirus event alerts. There are two types of unresolved antivirus event alerts: not cleaned and quarantined.