This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Quarantined Files not appearing in Action Center

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Quarantined Files not appearing in Action Center

M.Crow
L1 Bithead

‎05-07-2026 11:35 AM

Hi there,

 

We are having issues with files being quarantined on BIOCs but they are not appearing in the Action Center-->File Quarantine.  

We have verified both Broker VM and local machines experiencing this issue are not anywhere near storage quota.

We can see the quarantine appearing in the trapsd.log file and we can see the packets making it from the local machines to the data broker.  

 

We tried reverting to an earlier version of the XDR to no avail so have re-upgraded to the latest.  

 

Additionally, I don't know how to correlate the noted Rule to the BIOC Rules. The Additional information 1 in the quarantine pop up shows "Rule bitsjob_amsi_suspicious_strings

 

Please let me know if you have any ideas or what greater information might be helpful to solve this.

0 Likes Likes
1 REPLY 1

susekar
L5 Sessionator

‎05-11-2026 07:21 AM - edited ‎05-11-2026 07:22 AM

Hello @M.Crow ,

 

Greetings for the day.

 

Based on the internal documentation and case history, the issue where files are quarantined locally but do not appear in the Action Center > File Quarantine view is often related to how the agent's policy is configured or how specific rule types (like BIOCs/BTP) report their actions to the management console.

 

1. Centralized vs. Local Quarantine Management

When a file is quarantined locally by the Cortex XDR agent as a result of certain local policy actions, it may be managed exclusively at the agent's local level. In such cases, the file will not appear in the centralized File Quarantine view in the management console.

 

2. Malware Profile Configuration Discrepancies

A common root cause for quarantined files missing from the console is an incomplete or restrictive Malware Security Profile configuration.

  • Verdict Coverage: If the Malware Profile is configured to quarantine only WildFire verdicts but the detection was triggered by Local Analysis, the agent may perform the local movement but fail to log the event centrally in the quarantine list.
  • Resolution: Verify that the Malware Profile assigned to the affected endpoints has the following settings enabled:
    • Quarantine malicious executables is checked.
    • The quarantine scope is set to Quarantine WildFire and Local Analysis malware verdict.

3. BIOC Rule and BTP Logic

The rule noted in your quarantine popup, bitsjob_amsi_suspicious_strings, indicates a detection via the AMSI (Antimalware Scan Interface) or Behavioral Threat Protection (BTP) module.

  • Asynchronous Action: BIOC rules and BTP are often post-execution and asynchronous. For certain script-based threats (like those involving BITS jobs or AMSI), the initial BIOC event may terminate the process (kill causality) but may not immediately trigger a centralized quarantine record for the script file itself.
  • Reporting: In some scenarios, if the quarantine is triggered by a Custom Prevention Rule (CPR), the alert action might be reported as "Detected" or "Terminated" rather than "Quarantined" in the main alerts table, even if the file was moved locally.

4. How to Correlate the Rule

The string bitsjob_amsi_suspicious_strings is the internal biocRuleName used by the agent's engine (CLIPS). To correlate this to a rule in the console:

  1. Navigate to Detection Rules > BIOC.
  2. Search for the rule name or use filters to find rule IDs. Note that the console typically displays the friendlyName, which may differ slightly from the internal string.
  3. Alternatively, check your Restrictions profiles to see which BIOC rules have been added as Custom Prevention Rules (CPR).

5. Troubleshooting Steps on the Endpoint

To verify the status of these files locally, you can use the cytool utility (requires the agent administrator/uninstallation password).

  • List Quarantined Files: cytool quarantine list
  • Restore a File Locally: cytool quarantine restore <QUARANTINE_ID> <DESTINATION_PATH>
Recommendation for Further Analysis:

If packets are reaching the data broker but the data is still missing, please provide:

  1. A Tech Support File (TSF) from an affected endpoint.
  2. The Debug Alert Data for the relevant incident
    (Right-click the alert > Additional Data > Retrieve Alert Data).
  3. Confirmation whether any Alert Exclusion rules are active that might be suppressing these specific events from the console views.

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

 

Thanks & Regards,
S. Subashkar Sekar

  • 175 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks