Skip to content

Commit f4d58c1

Browse files
mergify[bot]natasha-moore-elastic
mergify[bot]
and
natasha-moore-elastic
authored
Clarify quarantined file handling in Elastic Defend docs (#7037) (#7042)
(cherry picked from commit 15f1c11) Co-authored-by: natasha-moore-elastic <[email protected]>
1 parent e123c7a commit f4d58c1

File tree

1 file changed

+3
-1
lines changed

1 file changed

+3
-1
lines changed

docs/getting-started/configure-integration-policy.asciidoc

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -84,7 +84,7 @@ image::images/install-endpoint/malware-protection.png[Detail of malware protecti
8484
[[manage-quarantined-files]]
8585
=== Manage quarantined files
8686

87-
When *Prevent* is enabled for malware protection, {elastic-defend} will quarantine any malicious file it finds (this includes files defined in the <<blocklist>>). Specifically {elastic-defend} will remove the file from its current location, encrypt it with the encryption key `ELASTIC`, move it to a different folder, and rename it as a GUID string, such as `318e70c2-af9b-4c3a-939d-11410b9a112c`.
87+
When *Prevent* is enabled for malware protection, {elastic-defend} will quarantine any malicious file it finds (this includes files defined in the <<blocklist>>). Specifically {elastic-defend} will remove the file from its current location, apply a rolling XOR with the key `ELASTIC`, move it to a different folder, and rename it as a GUID string, such as `318e70c2-af9b-4c3a-939d-11410b9a112c`.
8888

8989
The quarantine folder location varies by operating system:
9090

@@ -97,6 +97,8 @@ To restore a quarantined file to its original state and location, <<add-exceptio
9797

9898
You can access a quarantined file by using the `get-file` <<response-action-commands,response action command>> in the response console. To do this, copy the path from the alert's **Quarantined file path** field (`file.Ext.quarantine_path`), which appears under **Highlighted fields** in the alert details flyout. Then paste the value into the `--path` parameter. This action doesn't restore the file to its original location, so you will need to do this manually.
9999

100+
IMPORTANT: When you retrieve a quarantined file using `get-file`, the XOR obfuscation is automatically reversed, and the original malicious file is retrieved.
101+
100102
NOTE: Response actions and the response console UI are https://www.elastic.co/pricing[Enterprise subscription] features.
101103

102104
[discrete]

0 commit comments

Comments
 (0)