topic Re: Block versus Quarantine Malware Module Settings in Cortex XDR Discussions

Block versus Quarantine Malware Module Settings

Joe_Botelho — Fri, 20 Oct 2023 14:04:57 GMT

Is there a greater benefit to enabling the Quarantine setting versus the Block setting across the different modules in the Cortex XDR Malware profile? It is my understanding that both/either will result in the expected protective action (i.e. a potential threat will not be allowed to execute).

Re: Block versus Quarantine Malware Module Settings

abdrahman — Mon, 23 Oct 2023 02:06:34 GMT

Dear @Joe_Botelho ,

Thank you for reaching out to Live Community. Please note that if the setting is configured to Quarantine then the file detected will be not allowed to execute and will be kept in a designated path for further analysis.

However, when it comes to block mode, if a file is detected as malicious then it will be detected and destroyed and removed from the endpoint.

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.

Re: Block versus Quarantine Malware Module Settings

Antony_Chan — Tue, 24 Oct 2023 09:54:48 GMT

@Joe_Botelho Based on my understanding, block will only terminate the suspicious/malicious process a.k.a. causality chain. The files, configuration, code/script will remain in the affected system. In this case, the alert may re-occur until someone take remediation action against the system.

If you enable the option to quarantine the file - depending on the module and alert - it will remove the file and stored it in a sub-directory of Cortex XDR. Due to the file is no longer available, it will not be able to execute and hence alert will not appear again. However, analyst need to review the quarantined file and make sure it is not a false-positive. Otherwise, a file restoration is required.

Re: Block versus Quarantine Malware Module Settings

Joe_Botelho — Mon, 22 Jan 2024 20:26:10 GMT

Thank you for the responses. I think I am still not clear on whether it makes a difference to use block or quarantine in terms of protection. Block is designed prevent the execution of potentially malicious files/processes but so is quarantine. Right now, it seems that quarantine has the added step of moving the file into a sub-directory of XDR. But if you were to use the block setting, you are still protecting the endpoints. Please let me know if I am incorrect here.

Re: Block versus Quarantine Malware Module Settings

JayGolf — Wed, 13 Mar 2024 21:07:38 GMT

To clarify, the "Block and Quarantine Disabled" setting is designed to prevent the execution of the executable files but does not necessarily remove the files permanently. It effectively blocks the file from running but leaves the file intact.

Re: Block versus Quarantine Malware Module Settings

MosR — Thu, 14 Mar 2024 12:11:55 GMT

Thank you @JayGolf for the clarification.