topic Re: Quarantine not working in Cortex XDR Discussions

Quarantine not working

Marsooq_A — Sat, 23 May 2020 16:52:54 GMT

Hi Team

We have enabled quarantine for wildfire and local analysis malware verdict. When initiating malware scan from cortex xdr cloud t, the malware's are getting detected and but those are not getting quarantined.Can anyone advice is this how it works?

Re: Quarantine not working

dfalcon — Tue, 26 May 2020 17:27:28 GMT

Can you post a screenshot of the Portable Executable and DLL Examination portion of your malware profile?

Re: Quarantine not working

Marsooq_A — Tue, 26 May 2020 17:41:18 GMT

Re: Quarantine not working

dfalcon — Tue, 26 May 2020 17:55:49 GMT

Hi @Marsooq_A-

Just to confirm. When you go to Endpoint Management > Endpoint Administration, select an endpoint that is failing, right-click and select View Endpoint Policy -- can you see the profile with quarantine enabled applied to the specific machine?

Re: Quarantine not working

Marsooq_A — Tue, 26 May 2020 18:02:02 GMT

Yes , I could see the same profile in the policy and this has been confirmed several times.

Re: Quarantine not working

dfalcon — Tue, 26 May 2020 18:05:38 GMT

Next thing I would check is the agent logs after a quarantine attempt.

https://docs.paloaltonetworks.com/wildfire/8-1/wildfire-admin/submit-files-for-wildfire-analysis/verify-wildfire-submissions/test-a-sample-malware-file

You can use this test PE to trigger a quarantine event. After the event is complete, open the log file, scroll to the bottom and look for any messages associated with the quarantine attempt.

Re: Quarantine not working

Marsooq_A — Thu, 28 May 2020 07:33:30 GMT

well its works with other endpoints