This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Unlock your full community experience!
- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Showonly | Search instead for
Did you mean:
Announcements
- LIVEcommunity
- Discussions
- Security Operations
- Cortex XDR Discussions
- Block versus Quarantine Malware Module Settings
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Block versus Quarantine Malware Module Settings
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
10-20-202307:04 AM
Is there a greater benefit to enabling the Quarantine setting versus the Block setting across the different modules in the Cortex XDR Malware profile? It is my understanding that both/either will result in the expected protective action (i.e. a potential threat will not be allowed to execute).
0 LikesLikes
5 REPLIES 5
L3 Networker
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
10-22-202307:06 PM
Dear@Joe_Botelho,
Thank you for reaching out to Live Community. Please note that if the setting is configured to Quarantine then the file detected will be not allowed to execute and will be kept in a designated path for further analysis.
However, when it comes to block mode, if a file is detected as malicious then it will be detected and destroyed and removed from the endpoint.
If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.
0 LikesLikes
L2 Linker
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
10-24-202302:54 AM
@Joe_BotelhoBased on my understanding, block will only terminate the suspicious/malicious process a.k.a. causality chain. The files, configuration, code/script will remain in the affected system. In this case, the alert may re-occur until someone take remediation action against the system.
If you enable the option to quarantine the file - depending on the module and alert - it will remove the file and stored it in a sub-directory of Cortex XDR. Due to the file is no longer available, it will not be able to execute and hence alert will not appear again. However, analyst need to review the quarantined file and make sure it is not a false-positive. Otherwise, a file restoration is required.
AC
0 LikesLikes
L1 Bithead
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-22-202412:26 PM
Thank you for the responses. I think I am still not clear on whether it makes a difference to use block or quarantine in terms of protection. Block is designed prevent the execution of potentially malicious files/processes but so is quarantine. Right now, it seems that quarantine has the added step of moving the file into a sub-directory of XDR. But if you were to use the block setting, you are still protecting the endpoints. Please let me know if I am incorrect here.
0 LikesLikes
Community Team Member
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-13-202402:07 PM
To clarify, the "Block and Quarantine Disabled" setting is designed to prevent the execution of the executable files but does not necessarily remove the files permanently. It effectively blocks the file from running but leaves the file intact.
LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!
Please help out other users and “Accept as Solution” if a post helps solve your problem !
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
03-14-202405:11 AM
Thank you@JayGolffor the clarification.
0 LikesLikes
- 1536 Views
- 5 replies
- 0 Likes
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
Related Content
- Cortex XDR is unable to block USB viruses - the reason is unknown. in Cortex XDR Discussions
- Automatic review of Cortex XDR for Prevention Profile: Agent Settings, Malware and Exploit in Cortex XDR Discussions
- Cortex XDR Auto Quarantine in Cortex XDR Discussions
- Migrate to New Tenant in Cortex XDR Discussions
