Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.
01-28-2021 07:02 AM
Hi there-
The quarantine function is limited to PE's and DLL's and can be set in the malware profile.
Macros are different in that you would not want to quarantine the actual executable, which would be Word, Excel, etc. For that reason, the specific file is what is terminated, while the Office application remains open. Your option for a macro is simply to block.
BTP is also different. When events occur on the endpoint, they are loaded into BTP memory. From there, the event is compared to a list of built-in BTP rules and if one is triggered, it is terminated. This cycle is repeated based on what is occurring. For example, someone may be running Outlook. That person receives and opens an email, then opens a Word attachment. After the Word attachment is open, a macro is executed which is doing something it shouldn't. BTP looks at each stage in this process and terminates once something matches a built-in BTP rule. You cannot check BTP at rest since it is based on behavior in motion.
