Quarntine Malicious file detected by scan

cancel
Showing results for 
Search instead for 
Did you mean: 

Quarntine Malicious file detected by scan

L0 Member

Hi all,

When I initiate a scan to a machine a the action of malicious file is Detected (Scanned) but it is not getting quarantine although we enabled the quarantine malicious files in Behavioral Threat Protection.
Anyone know the reason ?

Thank you,

2 REPLIES 2

L1 Bithead

BTP is for actions involving a PE/Macro/DLL and a windows process. I believe that is a simple explanation I can offer.

 

The detection of an action would involve "real time" scan analysis and be behavioral.

 

The scanned alerts are specific to "periodic" scanning of a file at rest. That's what you are doing now.

 

You'll need to set the quarantine on "Portable exe and DLL examination" in the "Malware Analysis Profile" to achieve what you are asking. Its set to disabled by default.

 

i dont know PA best practice but... Id run the periodic scan at least once before i enabled the quarantine for file types. Let it run across your enterprise and fill your screen with incidents/alerts. You are going to find tons of stuff you probably didnt know existed just laying around. You will see multiple instances of things which can help you isolate spread or unauthorized usage. Remediate them first. What that will do is populate your verdicts in the Wildfire database and enhance your local analysis. Nobody will know you did it and you wont piss off your sysadmins when the quarantine siezes all of their crazy tools. Give em a chance to explain first and you'll make friends :)

 

The existence of BTP and file block options in Cortex is already protecting you in real time. Take your time.

 

 

L4 Transporter

Hi there-

 

The quarantine function is limited to PE's and DLL's and can be set in the malware profile.

dfalcon_0-1611845901152.png

 

Macros are different in that you would not want to quarantine the actual executable, which would be Word, Excel, etc.   For that reason, the specific file is what is terminated, while the Office application remains open.  Your option for a macro is simply to block.

dfalcon_1-1611846022008.png

 

BTP is also different.  When events occur on the endpoint, they are loaded into BTP memory.  From there, the event is compared to a list of built-in BTP rules and if one is triggered, it is terminated.  This cycle is repeated based on what is occurring.  For example, someone may be running Outlook.  That person receives and opens an email, then opens a Word attachment.  After the Word attachment is open, a macro is executed which is doing something it shouldn't.  BTP looks at each stage in this process and terminates once something matches a built-in BTP rule.  You cannot check BTP at rest since it is based on behavior in motion.


David Falcon 
Solutions Architect, Cortex
Palo Alto Networks® 
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!