10-20-2023 07:04 AM
Is there a greater benefit to enabling the Quarantine setting versus the Block setting across the different modules in the Cortex XDR Malware profile? It is my understanding that both/either will result in the expected protective action (i.e. a potential threat will not be allowed to execute).
10-22-2023 07:06 PM
Dear @Joe_Botelho ,
Thank you for reaching out to Live Community. Please note that if the setting is configured to Quarantine then the file detected will be not allowed to execute and will be kept in a designated path for further analysis.
However, when it comes to block mode, if a file is detected as malicious then it will be detected and destroyed and removed from the endpoint.
If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.
10-24-2023 02:54 AM
@Joe_Botelho Based on my understanding, block will only terminate the suspicious/malicious process a.k.a. causality chain. The files, configuration, code/script will remain in the affected system. In this case, the alert may re-occur until someone take remediation action against the system.
If you enable the option to quarantine the file - depending on the module and alert - it will remove the file and stored it in a sub-directory of Cortex XDR. Due to the file is no longer available, it will not be able to execute and hence alert will not appear again. However, analyst need to review the quarantined file and make sure it is not a false-positive. Otherwise, a file restoration is required.
01-22-2024 12:26 PM
Thank you for the responses. I think I am still not clear on whether it makes a difference to use block or quarantine in terms of protection. Block is designed prevent the execution of potentially malicious files/processes but so is quarantine. Right now, it seems that quarantine has the added step of moving the file into a sub-directory of XDR. But if you were to use the block setting, you are still protecting the endpoints. Please let me know if I am incorrect here.
03-13-2024 02:07 PM
To clarify, the "Block and Quarantine Disabled" setting is designed to prevent the execution of the executable files but does not necessarily remove the files permanently. It effectively blocks the file from running but leaves the file intact.
03-14-2024 05:11 AM
Thank you @JayGolf for the clarification.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
