Quarantine an Asset

In case of any malicious event, the Quarantine Asset feature restricts the infected host machine from performing any network communication. You can quarantine an asset if its Windows Agent version is 4.9.0 and above and Linux Agent version is 6.0.0 and above. You can Quarantine an Asset from the Incidents or Asset tab.

Quarantine an Asset from the Incidents tab	Unquarantine an Asset from the Assets tab
Quarantine an Asset from the Assets tab	Unquarantine an Asset from the Incidents tab
Quarantine Asset Configuration from the Configuration tab	Failed Status Messages
Show Quarantine Assets Only

Quarantine an Asset from the Incidents tab

To quarantine an asset based on the incident description, perform the following steps:

1. Click the Incident description that you want to quarantine.
2. In the Summary section, click Quarantine Asset.
   
3. In the Quarantine Asset window, add your comments. Optionally, you can toggle Allowed Applications and add the application path you prefer to be accessible while quarantining the asset. Applications listed in the Quarantine Asset Configuration will be applicable in the Allowed Applications, if this toggle is enabled.
4. To add an application, enter a valid application path in the space provided and click Add.

   

5. To remove an application, click the delete icon against the application path.
   
6. Click Execute Response.

   

   A notification Quarantine Asset request sent successfully. View Request Status is generated.

7. Click the View Request Status to follow the asset quarantine status.

   

Once the asset is successfully quarantined the following status is displayed:

Quarantine an Asset from the Assets tab

To quarantine an asset from the Assets tab, perform the following steps:

1. In the Assets tab, select the Asset that you want to quarantine. The Agent version should be 4.9.0 and above.
2. From the Quick Actions menu, click Quarantine Asset.

   

3. In the Quarantine Asset window, add your comments. Optionally, you can toggle Allowed Applications and add the application path you prefer to be accessible while quarantining the asset. Applications listed in the Quarantine Asset will be applicable in the Allowed Applications, if this toggle is enabled.
4. To add an application, enter a valid application path in the space provided and click Add.

   

5. To remove an application, click the delete icon against the application path.

   

6. Click Execute Response.

   

   A notification Quarantine Asset request sent successfully. View Request Status is generated.

7. Click the View Request Status to follow the asset quarantine status.

   

A quarantined asset will have the icon displayed.

The icon signifies the asset is in progress state.

Quarantine Asset Configuration from the Configuration tab

From the Configurations tab, you can white list the applications that will be allowed while the asset is quarantined.

Perform the following steps to white list applications for the Quarantined asset:

1. In the Configuration tab, select Asset Configuration.
2. Toggle Allowed Applications.
3. In the Add Applications field, provide the complete path of the application. You can provide environmental variables in the field. Wild cards inputs are not supported.
   

   Add the following paths to allow the Qualys Endpoint Protection :

   C:\Program Files\Qualys\QualysEPP\EPUpdateService.exe
C:\Program Files\Qualys\QualysEPP\downloader.exe
C:\Program Files\Qualys\QualysEPP\EPSecurityService.exe
C:\ProgramFiles\Qualys\QualysEPP\ephost.integrity.legacy.exe
C:\Program Files\Qualys\QualysEPP\EPConsole.exe
C:\ProgramFiles\Qualys\QualysEPP\EPIntegrationService.exe
C:\ProgramFiles\Qualys\QualysEPP\EPProtectedService.exeC:\Program Files\Qualys\QualysEPP\bdredline.exe
4. Click Apply.

Show Quarantined Assets Only

• To view the list of the Quarantined Assets from the Assets tab, select the Show Quarantined Assets Only checkbox. The following screenshot is an example of the option that lists the quarantined assets:
  

Unquarantine an Asset from the Assets tab

To unqurantine an asset, perform the following steps:

1. In the Assets tab, select the quarantined asset. From the Quick Actions menu, select Unquarantine Asset.

   

2. In the Release Asset window, add your comments.
3. Click Unquarantine Asset.
   A notification Unquarantine Asset request sent successfully. View Request Status is generated.
4. Click the View Request Status to follow the release asset status.

Unquarantine an Asset from the Incidents tab

To release a quarantined asset, perform the following steps:

1. In the Incidents tab, select the required incident description of a quarantined asset.
2. In the Summary tab, click Unquarantine Asset.

   

3. In the Unquarantine Asset window add your comments.

   

4. Click Unquarantine Asset.

   

   A notification Unquarantine Asset request sent successfully. View Request Status is generated.

5. Click the View Request Status to follow the unquarantine asset status.

Failed Status Messages

The Status column in the Responses tab lists the assets with the status as Failed. Click on asset, and the Quarantine File window displays the possible failure cause. To resolve the issue, click Retry to successfully quarantine the asset.

Following are some of the remediation request failure causes:

• Input File is already deleted: The input file does not exist on the endpoint
• Agent Response Timed Out: If the Quarantine Asset request has been running (In Progress status) for more than 5 minutes, the Status column displays the instance as Agent response timed out. You can perform the action again after the timeout.
• Error: Unable to quarantine the file: The file or file path is restricted or protected for any delete or move operation.
• Error: Process does not exist: This error message occurs when the remediated process is not running anymore on the endpoint or is in the terminated state. 
• Quarantine a file does not exist: The requested file is unavailable at the endpoint. 

The following screenshot is an example of the Agent Response Timed Out: