Quarantine an Asset

In case of any malicious event, the Quarantine Asset feature restricts the infected host machine from performing any network communication. You can quarantine an asset if its agent version is 4.9.0 and above. You can Quarantine an Asset from the Incidents or Asset tab.

This feature is only available for the Windows assets.

Quarantine an Asset from the Incidents tab	Show Quarantine Assets Only
Quarantine an Asset from the Assets tab	Unquarantine an Asset from the Assets tab
Quarantine Asset Configuration from the Configuration tab	Unquarantine an Asset from the Incidents tab

Quarantine an Asset from the Incidents tab

To quarantine an asset based on the incident description, perform the following steps:

1. Click the Incident description that you want to quarantine.
2. In the Summary section, click Quarantine Asset.
   
3. In the Quarantine Asset window, add your comments. Optionally, you can toggle Allowed Applications and add the application path you prefer to be accessible while quarantining the asset. Applications listed in the Quarantine Asset Configuration will be applicable in the Allowed Applications, if this toggle is enabled.
4. To add an application, enter a valid application path in the space provided and click Add.
5. To remove an application, click the delete icon against the application path.
   
6. Click Execute Response

   

   A notification Quarantine Asset request sent successfully. View Request Status is generated.

7. Click the View Request Status to follow the asset quarantine status.

Once the asset is successfully quarantined the following status is displayed:

Quarantine an Asset from the Assets tab

To quarantine an asset from the Assets tab, perform the following steps:

1. In the Assets tab, select the Asset that you want to quarantine. The Agent version should be 4.9.0 and above
2. From the Quick Actions menu, click Quarantine Asset
3. In the Quarantine Asset window, add your comments. Optionally, you can toggle Allowed Applications and add the application path you prefer to be accessible while quarantining the asset. Applications listed in the Quarantine Asset will be applicable in the Allowed Applications, if this toggle is enabled.
4. To add an application, enter a valid application path in the space provided and click Add.
5. To remove an application, click the delete icon against the application path.
6. Click Execute ResponseA notification Quarantine Asset request sent successfully. View Request Status is generated.
7. Click the View Request Status to follow the asset quarantine status.

A quarantined asset will have the icon displayed.

The icon signifies the asset is in progress state.

Quarantine Asset Configuration from the Configuration tab

From the Configurations tab, you can white list the applications that will be allowed while the asset is quarantined.

Perform the following steps to white list applications for the Quarantined asset:

1. In the Configuration tab, select Quarantine Asset
2. Toggle Allowed Applications
3. In the Add Applications field, provide the complete path of the application. You can provide environmental variables in the field. Wild cards inputs are not supported.
   

   Add the following paths to allow the Qualys Endpoint Protection :

   C:\Program Files\Qualys\QualysEPP\EPUpdateService.exe
C:\Program Files\Qualys\QualysEPP\downloader.exe
C:\Program Files\Qualys\QualysEPP\EPSecurityService.exe
C:\ProgramFiles\Qualys\QualysEPP\ephost.integrity.legacy.exe
C:\Program Files\Qualys\QualysEPP\EPConsole.exe
C:\ProgramFiles\Qualys\QualysEPP\EPIntegrationService.exe
C:\ProgramFiles\Qualys\QualysEPP\EPProtectedService.exeC:\Program Files\Qualys\QualysEPP\bdredline.exe
4. Click Apply.

Show Quarantined Assets Only

• To view the list of the Quarantined Assets from the Assets tab, select the Show Quarantined Assets Only checkbox. The following screenshot is an example of the option that lists the quarantined assets:
  

Unquarantine an Asset from the Assets tab

To unqurantine an asset, perform the following steps:

1. In the Assets tab, select the quarantined asset. From the Quick Actions menu, select Unquarantine Asset.
2. In the Release Asset window, add your comments.
3. Click Unquarantine Asset.
   
   A notification Unquarantine Asset request sent successfully. View Request Status is generated.
4. Click the View Request Status to follow the release asset status.

Unquarantine an Asset from the Incidents tab

To release a quarantined asset, perform the following steps:

1. In the Incidents tab, select the required incident description of a quarantined asset.
2. In the Summary tab, click Unquarantine Asset.
3. In the Unquarantine Asset window add your comments.
4. Click Unquarantine Asset.

   

   A notification Unquarantine Asset request sent successfully. View Request Status is generated.

5. Click the View Request Status to follow the unquarantine asset status.