[Security] Clarify quarantined file handling in Elastic Defend docs (#2619)

natasha-moore-elastic · web-flow · commit 25de97afafa6 · 2025-08-20T09:23:49.000Z
Contributes to elastic/security-docs#5157 by clarifying that files quarantined by Elastic Defend are obfuscated with a rolling XOR and that the `get-file` action automatically reverses this to retrieve the original file. Preview: [Configure an integration policy for Elastic Defend > Manage quarantined files](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/2619/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend#manage-quarantined-files)
diff --git a/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md b/solutions/security/configure-elastic-defend/configure-an-integration-policy-for-elastic-defend.md
@@ -95,7 +95,7 @@ If you have the appropriate license or project feature, you can customize these
 
 ### Manage quarantined files [manage-quarantined-files]
 
-When **Prevent** is enabled for malware protection, {{elastic-defend}} will quarantine any malicious file it finds (this includes files defined in the [blocklist](/solutions/security/manage-elastic-defend/blocklist.md)). Specifically, {{elastic-defend}} will remove the file from its current location, encrypt it with the encryption key `ELASTIC`, move it to a different folder, and rename it as a GUID string, such as `318e70c2-af9b-4c3a-939d-11410b9a112c`.
+When **Prevent** is enabled for malware protection, {{elastic-defend}} will quarantine any malicious file it finds (this includes files defined in the [blocklist](/solutions/security/manage-elastic-defend/blocklist.md)). Specifically, {{elastic-defend}} will remove the file from its current location, apply a rolling XOR with the key `ELASTIC`, move it to a different folder, and rename it as a GUID string, such as `318e70c2-af9b-4c3a-939d-11410b9a112c`.
 
 The quarantine folder location varies by operating system:
 
@@ -108,6 +108,10 @@ To restore a quarantined file to its original state and location, [add an except
 
 You can access a quarantined file by using the `get-file` [response action command](/solutions/security/endpoint-response-actions.md#response-action-commands) in the response console. To do this, copy the path from the alert’s **Quarantined file path** field (`file.Ext.quarantine_path`), which appears under **Highlighted fields** in the alert details flyout. Then paste the value into the `--path` parameter. This action doesn’t restore the file to its original location, so you will need to do this manually.
 
+::::{important}
+When you retrieve a quarantined file using `get-file`, the XOR obfuscation is automatically reversed, and the original malicious file is retrieved.
+::::
+
 ::::{note}
 * In {{stack}}, response actions and the response console UI are [Enterprise subscription](https://www.elastic.co/pricing) features.
 * In {{serverless-short}}, response actions and the response console UI are Endpoint Protection Complete [project features](/deploy-manage/deploy/elastic-cloud/project-settings.md).
