Manage Quarantined Files
Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EDR, WatchGuard EPP
When WatchGuard Endpoint Security detects a file it considers a threat, it is deleted on the user computer and stored in a Quarantine folder in the software installation directory. The quarantine feature is only available on Windows, macOS, and Linux endpoints.
The classification and type of threat determines the actions that Endpoint Security takes on the detected file:
- Malicious files for which disinfection is possible — Files are disinfected and restored to their original location.
- Malicious files for which disinfection is not possible — Files are moved to quarantine and remain there for seven days.
- Non-malicious items — Files determined to be goodware and incorrectly classified as malware (false positive), are automatically restored from quarantine to their original location.
- Suspicious items — Files are stored in quarantine for 30 days. If they a determined to be goodware, they are restored to their original location.
Endpoint Security does not permanently delete files from user computers. All deleted files are sent to a backup folder.
Review Quarantined Files
This Quarantine folder is encrypted and cannot be accessed by any other process.
To review a list of quarantined items:
- Select Status > Security.
- Click the tile for the type of threats you want to review:
- Malware activity
- PUP activity
- Exploit activity
- Threats detected by the antivirus
- Click Filters.
- In the Action area, select the Quarantined and Deleted check boxes.
- Click Filter.
Restore Files from Quarantine
You can only retrieve files from the Quarantine folder from the Endpoint Security management UI.
To restore items from quarantine:
- Select Status > Security.
- Click the tile for the type of threats you want to restore:
- Malware activity
- PUP activity
- Exploit activity
- Threats detected by the antivirus
- Click Filters.
- In the Action area, select the Quarantined and Disinfected check boxes.
- Next to the Action, click the info icon.
A pop-up describes why the item was moved to quarantine. - Click the Restore and do not detect again.
The file is restored to its original location. The permissions, owner, and registry entries related to the file are also restored.