Block versus Quarantine Malware Module Settings

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Block versus Quarantine Malware Module Settings

L1 Bithead

Is there a greater benefit to enabling the Quarantine setting versus the Block setting across the different modules in the Cortex XDR Malware profile? It is my understanding that both/either will result in the expected protective action (i.e. a potential threat will not be allowed to execute). 

5 REPLIES 5

L3 Networker

Dear @Joe_Botelho ,

 

Thank you for reaching out to Live Community. Please note that if the setting is configured to Quarantine then the file detected will be not allowed to execute and will be kept in a designated path for further analysis. 

 

However, when it comes to block mode, if a file is detected as malicious then it will be detected and destroyed and removed from the endpoint. 

 

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.

L2 Linker

@Joe_Botelho Based on my understanding, block will only terminate the suspicious/malicious process a.k.a. causality chain. The files, configuration, code/script will remain in the affected system. In this case, the alert may re-occur until someone take remediation action against the system.

If you enable the option to quarantine the file - depending on the module and alert - it will remove the file and stored it in a sub-directory of Cortex XDR. Due to the file is no longer available, it will not be able to execute and hence alert will not appear again. However, analyst need to review the quarantined file and make sure it is not a false-positive. Otherwise, a file restoration is required.

AC

L1 Bithead

Thank you for the responses. I think I am still not clear on whether it makes a difference to use block or quarantine in terms of protection. Block is designed prevent the execution of potentially malicious files/processes but so is quarantine. Right now, it seems that quarantine has the added step of moving the file into a sub-directory of XDR. But if you were to use the block setting, you are still protecting the endpoints. Please let me know if I am incorrect here. 

Community Team Member

To clarify, the "Block and Quarantine Disabled" setting is designed to prevent the execution of the executable files but does not necessarily remove the files permanently. It effectively blocks the file from running but leaves the file intact. 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Thank you @JayGolf for the clarification. 

  • 1897 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!