Remove a File from Quarantine

The TDR Host Sensor can quarantine a file when it performs the Quarantine File action, or as part of a Host Ransomware Prevention (HRP) action. When the Host Sensor quarantines a file, it encrypts the file and stores it locally on the host.

Windows Host Sensor quarantine directory:

c:\Program Files (x86)\WatchGuard\Threat Detection and Response\quarantine

Mac Host Sensor quarantine directory:

/usr/local/watchguard/tdr/quarantine

Linux Host Sensor quarantine directory:

/opt/watchguard/tdr/quarantine

The encrypted file remains in the quarantine directory on the host for the number of days specified in the Age Off For Quarantined Files setting. For more information, see Configure the Age Off For Quarantined Files

If you decide that a quarantined file is not a threat, you can remove the file from quarantine for up to 30 days, as long as the quarantined file remains on the host.

After 30 days you cannot undo the quarantine action, even if the quarantined file remains on the host. This is because incidents are automatically removed the system after 30 days.

The action to remove a file from quarantine depends on whether the Host Sensor quarantined the file as a Quarantine File action or as a Host Ransomware Prevention (HRP) action. You can remove select the action to remove a file from quarantine from the Remediations page, the Indicators page, or the Hosts page.

When you remove a file from Quarantine, the file is automatically added to the Allowlist.

Remove a File from Quarantine from the Remediations Page

Remove a File from Quarantine from the Indicators Page

Remove a File from Quarantine from the Hosts Page

After you execute the action to remove a file from quarantine, the Action Requested / Outcome column shows the action Un-Quarantine File and the outcome In Progress. After the file has been removed from quarantine, the outcome changes to Successful.

When you execute an action to remove a file from quarantine, the MD5 value for that file is automatically added to the Allowlist as a signature override. If the quarantine action fails because the file no longer exists on the host, the MD5 value for that file is still added to the Allowlist. For more information about the Allowlist, see Configure TDR Signature Overrides.

See Also

Manage TDR Indicators

About TDR Threat Scores

TDR Remediation Actions and Threat Scores