Netwitness Endpoint "Block & Quarantine File" option
I am having this issue with the Quarantine option in NW Endpoint.
Can somebody explain me what is the logic behind the Block and Quarantine option for a specific file?
Is the file deleted on the Endpoint machine, and if so, how this is done.
We have quarantined a file, but we are still seeing it being executed on the endpoint machine.
Thank you in advance!
- Community Thread
- Forum Thread
- RSA NetWitness Endpoint
- RSA NetWitness Platform
Block Only: This option blocks a module from being written on the disk or loaded to the memory.
Block & Quarantine File: This option blocks the module and moves it to the quarantine folder (C:\ProgramData\EcatService\<Name>) on the server, which can be accessed only by the user with appropriate permissions. For more information about roles and permissions.
Blocking is available on Windows systems only and following module types can be blocked: .EXE, .COM, .SYS, .DLL, .SCR, .OCX.
Check Remediate Results in the User Guide Documentation for more details.
If Blocking is not working for you it could be because it is not enabled. Blocking can be enabled/disabled in three locations:
1. Globally by going to: Configure -> Global Parameters -> Enable Blocking System checkbox
2. At the group level by going to: -> Configure -> Machine Groups -> Right click on a group -> Edit -> Enable Blocking System checkbox
3. At the machine level by: Right-click on machine name -> Blocking System -> Change Blocking Status.
If you want to make sure that blocking is enabled for a particular machine just do it at the machine level, but if you want it globally ensure that 1 and 2 have blocking enabled, and 3 is inheriting blocking status from group level (i.e. 2)
Hope this helps.
Many thanks for the hint.
We are interested in the "Quarantine" option and what actions take place after we quarantine a particular module.
When a module is quarantined is it being stopped/blocked for further execution on the endpoint?
On the endpoint is the quarantined module deleted or just blocked?
Is the quarantined module copied to the server folder where the blocked files are written?
Thank you in advance!