https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/quarantining-files-about-300-mb-hunting-big-files/m-p/557416#M5120 <P>Yes, if you need the files at the moment, it needs to be online. If it is not, the task is hold as "Pending" until the client connects again with the console.</P> <P>I tried to retrieve files with the route&nbsp;<SPAN>%PROGRAMDATA%\Cyvera\QuarantineV2\*.* and all came encrypted.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thanks!</SPAN></P> <P><SPAN>JM</SPAN></P> Mon, 11 Sep 2023 19:08:56 GMT jmazzeo 2023-09-11T19:08:56Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/quarantining-files-about-300-mb-hunting-big-files/m-p/557248#M5113 <P>Hello dear community,&nbsp;</P> <P>&nbsp;</P> <P>what happens with quarantined files, which have 300 MB?&nbsp;</P> <P>&nbsp;</P> <P>I can't download it from the action center like I am used to.&nbsp;</P> <P>&nbsp;</P> <P>Yes, I saw they are moved to&nbsp;<CODE class="filename hljs language-shell"><SPAN class="hljs-meta prompt_">%</SPAN><SPAN class="language-bash">PROGRAMDATA%\Cyvera\Quarantine</SPAN></CODE><SPAN>), but can I get it from there?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Would you hunt big files, which are executed by users?&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>BR</SPAN></P> <P>&nbsp;</P> <P><SPAN>Rob</SPAN></P> Sun, 10 Sep 2023 21:13:33 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/quarantining-files-about-300-mb-hunting-big-files/m-p/557248#M5113 RFeyertag 2023-09-10T21:13:33Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/quarantining-files-about-300-mb-hunting-big-files/m-p/557349#M5115 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/190671">@RFeyertag</a>, thanks for contacting us in the Live Community.</P> <P>I'll do some checks and I'll be back with more information about retrieving files from quarantine (without restoring them).</P> <P>&nbsp;</P> <P>Is really hard to find a 300MB malware file, maybe a zipped one containing it. Is a size that is really hard to manage on any solution.</P> <P>&nbsp;</P> Mon, 11 Sep 2023 13:51:00 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/quarantining-files-about-300-mb-hunting-big-files/m-p/557349#M5115 jmazzeo 2023-09-11T13:51:00Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/quarantining-files-about-300-mb-hunting-big-files/m-p/557370#M5117 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/190671">@RFeyertag</a>, I did some tests, and the files retrieved from the Qarantine folder, comes encrypted with a .qtn extension.</P> <P>&nbsp;</P> <P>The option that comes to my mind, is:</P> <P>- Restore the file to the original location.</P> <P>- Retrieve it using the Action Center as you usually do.</P> <P>&nbsp;</P> <P>The <A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Retrieve-Files-from-an-Endpoint" target="_self">max size of the files is 500MB</A>.</P> <P>&nbsp;</P> <P>Please, le me know if it works for you, and mark the answer as the solution.</P> <P>&nbsp;</P> <P>Thanks!</P> Mon, 11 Sep 2023 17:07:02 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/quarantining-files-about-300-mb-hunting-big-files/m-p/557370#M5117 jmazzeo 2023-09-11T17:07:02Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/quarantining-files-about-300-mb-hunting-big-files/m-p/557415#M5119 <P>Thank you so much for your attention to this question.&nbsp;</P> <P>In my mind I was able to get the file from quarantine. But I think in this case it is too big or the isolated endpoint didn't allow it. Maybe the client also wasn't online anymore.&nbsp;</P> <P>So, if I retreive files from quarantaine, the client needs to be online, right?&nbsp;</P> <P>&nbsp;</P> <P>I will try your suggestion, thank you!&nbsp;</P> <P>BR</P> <P>&nbsp;</P> <P>Rob</P> Mon, 11 Sep 2023 19:03:12 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/quarantining-files-about-300-mb-hunting-big-files/m-p/557415#M5119 RFeyertag 2023-09-11T19:03:12Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/quarantining-files-about-300-mb-hunting-big-files/m-p/557416#M5120 <P>Yes, if you need the files at the moment, it needs to be online. If it is not, the task is hold as "Pending" until the client connects again with the console.</P> <P>I tried to retrieve files with the route&nbsp;<SPAN>%PROGRAMDATA%\Cyvera\QuarantineV2\*.* and all came encrypted.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thanks!</SPAN></P> <P><SPAN>JM</SPAN></P> Mon, 11 Sep 2023 19:08:56 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/quarantining-files-about-300-mb-hunting-big-files/m-p/557416#M5120 jmazzeo 2023-09-11T19:08:56Z