Remove a File from Quarantine

The TDR Host Sensor can quarantine a file when it performs the Quarantine File action, or as part of a Host Ransomware Prevention (HRP) action. When the Host Sensor quarantines a file, it encrypts the file and stores it locally on the host.

Windows Host Sensor quarantine directory:

c:\Program Files (x86)\WatchGuard\Threat Detection and Response\quarantine

Mac Host Sensor quarantine directory:

/usr/local/watchguard/tdr/quarantine

Linux Host Sensor quarantine directory:

/opt/watchguard/tdr/quarantine

The encrypted file remains in the quarantine directory on the host for the number of days specified in the Age Off For Quarantined Files setting. For more information, see Configure the Age Off For Quarantined Files

If you decide that a quarantined file is not a threat, you can remove the file from quarantine for up to 30 days, as long as the quarantined file remains on the host.

After 30 days you cannot undo the quarantine action, even if the quarantined file remains on the host. This is because incidents are automatically removed the system after 30 days.

The action to remove a file from quarantine depends on whether the Host Sensor quarantined the file as a Quarantine File action or as a Host Ransomware Prevention (HRP) action. You can remove select the action to remove a file from quarantine from the Remediations page, the Indicators page, or the Incidents page.

When you remove a file from Quarantine, the file is automatically added to the Whitelist.

Remove a File from Quarantine from the Remediations Page

To find the indicator and remove a file from quarantine:

  1. Log In to the TDR Web UI as an Administrator or Analyst.
  2. Select ThreatSync > Indicators.
  3. In the Action Requested column, set the filter to show only the Quarantine File action.
  4. In the Remediated Date column, select the date range for the time period when the file was quarantined.
  5. In the Search criteria text box, type the name of the host.
  6. Find the indicator for the file you want to remove from quarantine.
  7. Select the check box to adjacent to the indicator. You can select more than one indicator.
  8. To remove the file for the selected indicators from quarantine, from the Actions drop-down list, select the available action. The action you can choose depends on whether the file was quarantined as the result of an HRP action or as a Quarantine File action.
    • If a file was quarantined as the result of an HRP action, select Unquarantine HRP.
      This action removes all files related to this HRP action from quarantine on the host and adds the files to the Whitelist.
    • If a file was quarantined as the result of a Quarantine File action, select Unquarantine file.
      This action removes the file in this indicator from quarantine on the host and adds the file to the Whitelist..
  9. Click Execute Action.
    TDR sends a message to the Host Sensor to remove the file from quarantine.

Remove a File from Quarantine from the Indicators Page

To find the indicator and remove a file from quarantine:

  1. Log In to the TDR Web UI as an Administrator or Analyst.
  2. Select ThreatSync > Indicators.
  3. To clear the default filters, click .
  4. In the Last Seen column, select the date range for the time period when the file was quarantined.
  5. In the Action Requested column, set the filter to show only the Quarantine File action.
  6. In the Outcome column, set the filter to show only Successful actions.
  7. In the Search criteria text box, type the name of the host.
  8. Find the indicator for the file you want to remove from quarantine.
  9. Select the check box to adjacent to the indicator. You can select more than one indicator.
  10. To remove the file for the selected indicators from quarantine, from the Actions drop-down list, select the available action. The action you can choose depends on whether the file was quarantined as the result of an HRP action or as a Quarantine File action.
    • If a file was quarantined as the result of an HRP action, select Unquarantine HRP.
      This action removes all files related to this HRP action from quarantine on the host and adds the files to the Whitelist.
    • If a file was quarantined as the result of a Quarantine File action, select Unquarantine file.
      This action removes the file in this indicator from quarantine on the host and adds the file to the Whitelist..
  11. Click Execute Action.
    TDR sends a message to the Host Sensor to remove the file from quarantine.

Remove a File from Quarantine from the Incidents Page

To find the indicator and remove a file from quarantine:

  1. Log In to the TDR Web UI as an Administrator or Analyst.
  2. Select ThreatSync > Incidents.
  3. Select the date range for the time period when the file was quarantined.
  4. In the Search criteria text box, type the host name.
  5. To see incidents with any score, click .
    The default score filter is cleared.
  6. To expand the incident details, click .
    The indicators list for the host appears.

Screen shot of an expanded indicator with a quarantined file

  1. In the list of indicators for the incident, at the top of the Score column, set the filter to show only incidents with a score of 1. Click Apply.
    The indicators for successfully completed actions appear.
  2. Find the indicator for the successfully quarantined file.
  3. In the Manual Actions column, click Select Action.
    The Manual Actions dialog box appears.

Screen shot of the Machine Guided Actions dialog box for a quarantined file

The Manual Actions dialog box for a Quarantine File indicator includes an Undo check box.

Screen shotof the Manual Actions dialog box with the Unquarantine HRP action selected

The Manual Actions dialog box for an HRP indicator include an Unquarantine HRP check box.

  1. From the Manual Actions dialog box, you can select these actions:
    • To remove a file from quarantine, select the Undo check box for that file.
      This option removes the file specified in this indicator from quarantine on the host and adds the file to the Whitelist.
    • For a Host Ransomware Prevention indicator, to remove all quarantined files included in this indicator from quarantine, select the Unquarantine HRP check box.
      This option removes all files related to the HRP action from quarantine and adds the files to the Whitelist.
  2. To execute the selected actions, click Execute Selected Actions.
    TDR sends a message to the Host Sensor to remove the file from quarantine.
  3. Click Close.

After you execute the action to remove a file from quarantine, the Action Requested / Outcome column shows the action Un-Quarantine File and the outcome In Progress. After the file has been removed from quarantine, the outcome changes to Successful.

When you execute an action to remove a file from quarantine, the MD5 value for that file is automatically added to the Whitelist as a signature override. If the quarantine action fails because the file no longer exists on the host, the MF5 value for that file is still added to the Whitelist. For more information about the Whitelist, see Configure TDR Signature Overrides.

See Also

Manage TDR Indicators

About TDR Threat Scores

TDR Remediation Actions and Threat Scores