How to retrieve an incident related file

Arman_Zaheri — Fri, 29 Dec 2023 11:03:20 GMT

Hi,

I want to download an incident related files in Cortex XDR, but one of them is already quarantined so when I try to retrieve it nothing happens since it's not in the original location anymore. Is there any way to download it without restoring it from quarantine?

Re: How to retrieve an incident related file

nsinghvirk — Wed, 03 Jan 2024 15:27:26 GMT

Hello @Arman_Zaheri

Thanks for reaching out on LiveCommunity!

When the agent quarantines malware, it moves the file from the location on a local or removable drive to a local quarantine folder (%PROGRAMDATA%\Cyvera\Quarantine) where it isolates the file. This prevents the file from attempting to run again from the same path or causing any harm to your endpoints. Durning this process the extension of the file is also changed to ".qtn". Accessing this file in this format will not help with analysis in a sandbox environment. Hence if you want to download a file from quarantine folder you need to restore it first.

Please refer below link for more details.

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Manage-Quarantined-Files

Please click Accept as Solution to acknowledge that the answer to your question has been provided.

topic How to retrieve an incident related file in Cortex XDR Discussions

How to retrieve an incident related file

Re: How to retrieve an incident related file