3.6.5. Quarantine
Options
The quarantine is for keeping blocked files in a separated place. It can be used by configuring workflows (see Advanced section on Workflow template configuration page).
On the Quarantine page (Dashboard → Quarantine), the following operations can be performed on the quarantined files:
-
By clicking on the
, item details appear
-
Pinned files won't be removed on clean-ups. Use the pin icon to do so.
-
For removing the files from the list, please use the bin icon.
-
Files can be downloaded by clicking the download icon.
-
Send to MetaDefender Cloud for threat intel. For details see the next section.
The Send to MetaDefender Cloud, the Pin, Unpin and Delete operations can also be performed in bulk using the check-boxes before the filenames and clicking the action icons above the file list.
Send to MetaDefender Cloud
Since MetaDefender version 4.14.0 MetaDefender Cloud integration is available.
Files in the quarantine can be uploaded to MetaDefender Cloud to get threat intelligence on them.
This feature requires the Threat Intelligence technology to be licensed, and enabled.
Quarantine items may be sent to MetaDefender Cloud:
-
Manually using the
Send to MetaDefender Cloud function, or
-
Automatically, driven by the configuration under Quarantine settings.
Quarantine settings
To edit quarantine settings, click SETTINGS in Dashboard > Quarantine. The following options are available:
-
AUTOMATICALLY SEND ITEMS TO METADEFENDER CLOUD: If enabled, all new quarantine items will be uploaded to MetaDefender Cloud for threat intelligence information.
-
CHECK QUARANTINE FOR NEW ITEMS TO SEND: The frequency (in seconds) to check for new quarantine items to upload to MetaDefender Cloud.
-
-
RESULT POLLING: Once a quarantine item is uploaded to MetaDefender Cloud, MetaDefender must poll the Cloud for results. The polling frequency (in seconds) can be set here.
Operating MetaDefender Cloud integration
While a quarantine item is uploading to MetaDefender Cloud (either manually, or automatically), the THREAT INTELLIGENCE status is set Uploading:
When the upload is complete and MetaDefender waits for the results (and does the polling), the THREAT INTELLIGENCE field shows the processing progress:
When the scan is complete on the Cloud side and MetaDefender got them, the results will be shown in the THREAT INTELLIGENCE field:
Threat intelligence details
Clicking the
Show details function, the Quarantine item details view is shown. Clicking the THREAT INTELLIGENCE RESULTS tab, further details from MetaDefender Cloud are shown:
-
RESULT: Processing summary if the entry was blocked or allowed.
-
VERDICT: A more verbose details about the processing results.
-
AV ENGINES: Number of anti-virus engines that were used for scanning this item.
-
TOTAL TIME: Total processing time of this item for this scan.
-
RESULT LINK: Link to the processing results on MetaDefender Cloud.
If this quarantine item was uploaded to the Cloud multiple times, then there will be multiple THREAT INTELLIGENCE RESULTS pages in the tab.
Enabling MetaDefender Cloud integration
MetaDefender Cloud integration requires the Threat Intelligence technology to be licensed, and enabled under Inventory > Technologies:
Unless the Threat Intelligence technology is enabled, Cloud upload attempts will give Unavailable result:
Step |
Description |
Screenshot |
1 |
|
|
2 |
Click on the Settings link, the Engine Configuration dialog opens |
|
3 |
Provide the METADEFENDER CLOUD API KEY value. The API key may be obtained from the OPSWAT portal. |
|
4 |
Click SAVE SETTINGS to save the engine configuration. |
|
Troubleshooting
Symptom |
Potential problem |
Resolution |
MetaDefender Cloud upload attempts give Unavailable result. |
|
|
MetaDefender Cloud upload attempts give Add the API key for cloud analysis result. |
|
|
MetaDefender Cloud upload attempts give API calls per day limit reached result. |
|
|