3.6.5. Quarantine

Options

The quarantine is for keeping blocked files in a separated place. It can be used by configuring workflows (see Advanced section on Workflow template configuration page).

On the Quarantine page (Dashboard → Quarantine), the following operations can be performed on the quarantined files:

images/download/attachments/35217161/image2018-12-13_12-34-29.png

  1. By clicking on the images/s/en_GB/7201/e9483755159fbecaf5aef9b1eebd094ee4430d2f/_/images/icons/emoticons/information.png , item details appear

  2. Pinned files won't be removed on clean-ups. Use the pin icon to do so.

  3. For removing the files from the list, please use the bin icon.

  4. Files can be downloaded by clicking the download icon.

  5. images/download/attachments/35217161/image2018-12-13_14-22-21.png Send to MetaDefender Cloud for threat intel. For details see the next section.

The Send to MetaDefender Cloud, the Pin, Unpin and Delete operations can also be performed in bulk using the check-boxes before the filenames and clicking the action icons above the file list.

Send to MetaDefender Cloud

Since MetaDefender version 4.14.0 MetaDefender Cloud integration is available.

Files in the quarantine can be uploaded to MetaDefender Cloud to get threat intelligence on them.

This feature requires the Threat Intelligence technology to be licensed, and enabled.

Quarantine items may be sent to MetaDefender Cloud:

  1. Manually using the images/download/attachments/35217161/image2018-12-13_14-22-21.png Send to MetaDefender Cloud function, or

  2. Automatically, driven by the configuration under Quarantine settings.

Quarantine settings

To edit quarantine settings, click SETTINGS in Dashboard > Quarantine. The following options are available:

  1. AUTOMATICALLY SEND ITEMS TO METADEFENDER CLOUD: If enabled, all new quarantine items will be uploaded to MetaDefender Cloud for threat intelligence information.

    1. CHECK QUARANTINE FOR NEW ITEMS TO SEND: The frequency (in seconds) to check for new quarantine items to upload to MetaDefender Cloud.

  2. RESULT POLLING: Once a quarantine item is uploaded to MetaDefender Cloud, MetaDefender must poll the Cloud for results. The polling frequency (in seconds) can be set here.

images/download/attachments/35217161/image2018-12-13_14-39-38.png

Operating MetaDefender Cloud integration

While a quarantine item is uploading to MetaDefender Cloud (either manually, or automatically), the THREAT INTELLIGENCE status is set Uploading:

images/download/attachments/35217161/image2018-12-13_14-44-48.png

When the upload is complete and MetaDefender waits for the results (and does the polling), the THREAT INTELLIGENCE field shows the processing progress:

images/download/attachments/35217161/image2018-12-13_14-48-19.png

When the scan is complete on the Cloud side and MetaDefender got them, the results will be shown in the THREAT INTELLIGENCE field:

images/download/attachments/35217161/image2019-3-25_12-46-3.png

Threat intelligence details

Clicking the images/download/attachments/35217161/image2018-12-13_15-0-9.png Show details function, the Quarantine item details view is shown. Clicking the THREAT INTELLIGENCE RESULTS tab, further details from MetaDefender Cloud are shown:

  1. RESULT: Processing summary if the entry was blocked or allowed.

  2. VERDICT: A more verbose details about the processing results.

  3. AV ENGINES: Number of anti-virus engines that were used for scanning this item.

  4. TOTAL TIME: Total processing time of this item for this scan.

  5. RESULT LINK: Link to the processing results on MetaDefender Cloud.

    images/download/attachments/35217161/image2018-12-14_11-15-27.png

If this quarantine item was uploaded to the Cloud multiple times, then there will be multiple THREAT INTELLIGENCE RESULTS pages in the tab.

images/download/attachments/35217161/image2018-12-13_15-4-14.png

Enabling MetaDefender Cloud integration

MetaDefender Cloud integration requires the Threat Intelligence technology to be licensed, and enabled under Inventory > Technologies:

Unless the Threat Intelligence technology is enabled, Cloud upload attempts will give Unavailable result:

images/download/attachments/35217161/image2018-12-14_10-49-16.png

Step

Description

Screenshot

1

  1. Click on the Threat Intelligence entry in the Technologies list, the Threat Intelligence dialog opens.

images/download/attachments/35217161/image2018-12-14_10-32-24.png

2

Click on the Settings link, the Engine Configuration dialog opens

images/download/attachments/35217161/image2018-12-14_10-33-18.png

3

Provide the METADEFENDER CLOUD API KEY value. The API key may be obtained from the OPSWAT portal.

images/download/attachments/35217161/image2018-12-14_10-41-38.png

4

Click SAVE SETTINGS to save the engine configuration.

images/download/attachments/35217161/image2018-12-14_10-50-44.png

Troubleshooting

Symptom

Potential problem

Resolution

MetaDefender Cloud upload attempts give Unavailable result.

images/download/attachments/35217161/image2018-12-14_10-53-35.png

  1. The Threat Intelligence technology is not licensed.

  2. The Threat Intelligence technology is licensed, but is not enabled.

  3. MetaDefender Cloud is unavailable.

  1. Obtain license for the Threat Intelligence technology.

  2. Go to Inventory > Technologies and look up the Threat Intelligence entry.

    images/download/attachments/35217161/image2018-12-14_10-57-53.png

    1. Click on the toggle button images/download/attachments/35217161/image2018-12-14_10-59-11.png , the Enable engine dialog opens.

      images/download/attachments/35217161/image2018-12-14_11-0-14.png

    2. Click ENABLE. The engine is now enabled. The toggle button turns on images/download/attachments/35217161/image2018-12-14_11-1-43.png .

  3. When MetaDefender is configured to upload quarantine items automatically to the Cloud, but the Cloud is not available, then MetaDefender will try three times to upload. If three consecutive upload attempts fail, then the result will be set to Unavailable.
    If MetaDefender Cloud is back operational again, then the file may be attempted to be uploaded manually.

MetaDefender Cloud upload attempts give Add the API key for cloud analysis result.

images/download/attachments/35217161/image2019-3-25_12-49-53.png

  1. The Threat Intelligence engine is not configured properly.

  1. Configure the Threat Intelligence engine. Follow the steps described in the Enabling MetaDefender Cloud integration section.

MetaDefender Cloud upload attempts give API calls per day limit reached result.

images/download/attachments/35217161/image2019-3-25_12-54-58.png

  1. The MetaDefender Cloud Prevention API limit has been reached.

  1. Improve your MetaDefender Cloud subscription and increase the Prevention API limit; or wait until the next day.