1. home icon for breadcrumbs >
  2. Remediation >
  3. Quarantine an Asset

Quarantine an Asset

In case of any malicious event, the Quarantine Asset feature restricts the infected host machine from performing any network communication. You can quarantine an asset if its Windows Agent version is 4.9.0 and above and Linux Agent version is 6.0.0 and above. You can Quarantine an Asset from the Incidents or Asset tab.

Quarantine an Asset from the Incidents tab

To quarantine an asset based on the incident description, perform the following steps:

  1. Hover the mouse over an Incident Description to view the Quick Actions menu. 
  2. Click the Incident Details that you want to quarantine.
  3. In the Summary section, click Quarantine Asset.
    Quarantine Asset
  4. In the Quarantine Asset window, add your comments. Optionally, you can toggle Allowed Applications and add the application path you prefer to be accessible while quarantining the asset. Applications listed in the Quarantine Asset Configuration will be applicable in the Allowed Applications, if this toggle is enabled.
  5. To add an application, enter a valid application path in the space provided and click Add.

    Add Application Path

  6. To remove an application, click the delete icon against the application path.
    Delete Application Path
  7. Click Execute Response .

    Quarantine Asset Window

    A notification Quarantine Asset request sent successfully. View Request Status is generated.

  8. Click the View Request Status to follow the asset quarantine status.

    Quarantine Asset Window

    Once the asset is successfully quarantined the following status is displayed:

    Quarantine Asset Successful Status

Quarantine an Asset from the Assets tab

To quarantine an asset from the Assets tab, perform the following steps:

  1. In the Assets tab, select the Asset that you want to quarantine. The Agent version should be 4.9.0 and above.
  2. From the Quick Actions menu, click Quarantine Asset .

    Quarantine Asset Window

  3. In the Quarantine Asset window, add your comments. Optionally, you can toggle Allowed Applications and add the application path you prefer to be accessible while quarantining the asset. Applications listed in the Quarantine Asset will be applicable in the Allowed Applications, if this toggle is enabled.
  4. To add an application, enter a valid application path in the space provided and click Add.

    Add Application Path

  5. To remove an application, click the delete icon against the application path.

    Delete Application Path

  6. Click Execute Response.

    Quarantine Asset Window

    A notification Quarantine Asset request sent successfully. View Request Status is generated.

  7. Click the View Request Status to follow the asset quarantine status.

    Quarantine Asset Window

A quarantined asset will have the Quarantine Asset Icon icon displayed.

Quarantine Asset Window

The Quarantine Asset Icon icon signifies the asset is in progress state. 

Quarantine Asset is WIP

Quarantine Asset Configuration from the Configuration tab

From the Configurations tab, you can allow the applications while the asset is quarantined.

Perform the following steps to white list applications for the Quarantined asset:

  1. In the Configuration tab, select Asset Configuration .
  2. Toggle Allowed Applications.
  3. In the Add Applications field, provide the complete path of the application. You can provide environmental variables in the field. Wild cards inputs are not supported.

    Add the following paths to allow the Qualys Endpoint Protection:

    C:\Program Files\Qualys\QualysEPP\EPUpdateService.exe
    C:\Program Files\Qualys\QualysEPP\downloader.exe
    C:\Program Files\Qualys\QualysEPP\EPSecurityService.exe
    C:\ProgramFiles\Qualys\QualysEPP\ephost.integrity.legacy.exe
    C:\Program Files\Qualys\QualysEPP\EPConsole.exe
    C:\ProgramFiles\Qualys\QualysEPP\EPIntegrationService.exe
    C:\ProgramFiles\Qualys\QualysEPP\EPProtectedService.exeC:\Program Files\Qualys\QualysEPP\bdredline.exe
  4. Enable the Allowed IPs toggle. Enter the IP Address or Subnet Mask and click Add.
  5. Enable Quarantine Asset Notification toggle and mention the notification description and Admin Details. 
  6. Click Apply.

The following screenshot is an example of the Quarantine Assets:

Quarantine Asset is WIP

Show Quarantined Assets Only

To view the list of the Quarantined Assets from the Assets tab, select the Show Quarantined Assets Only checkbox. The following screenshot is an example of the option that lists the quarantined assets:

Show Quarantined Assets Only option in the Assets tab.

Unquarantine an Asset from the Assets tab

To unquarantine an asset, perform the following steps:

  1. In the Assets tab, select the quarantined asset. From the Actions  drop-down menu, select Unquarantine Asset .

    Release Quarantine Asset

  2. In the Unquarantine Asset window, add your comments.
  3. Click Unquarantine Asset .

    A notification Unquarantine Asset request sent successfully. View Request Status is generated.

  4. Click the View Request Status to follow the asset status.

Unquarantine an Asset from the Incidents page

To release a quarantined asset, perform the following steps in the Incidents page of the Detections tab:

  1. In the Incidents page, select the required incident description of a quarantined asset.
  2. In the Summary tab, click Unquarantine Asset.

    Release Asset from Incident tab

  3. In the Unquarantine Asset window add your comments.

    Release Asset Window

  4. Click Unquarantine Asset .

    Release Asset Window

    A notification Unquarantine Asset request sent successfully. View Request Status is generated.

  5. Click the View Request Status to follow the unquarantine asset status.

Release Asset Notification

Assets Statuses

A Quarantine or an Unquarantine asset can have the following statuses in the Activity Log or the Quarantine Items tab:

  • Queued: The Queued status is the initial status of the asset. An asset is in Queued status when you select the Quarantine or Unquarantine action. The warning icon Quarantine Asset is WIP indicates the delay in the asset being quarantined or unquarantined.
  • Success:  If successfully quarantined or unquarantined, the asset will display the Success status.
  • Failed: If the action was unsuccessful due to technical reasons, the asset status is Failed.

    The following screenshot highlights all the three statuses of different quarantined assets:

    Quarantined assets statuses

Failed Status Messages

The Status column in the Responses tab lists the assets with the status as Failed. Click on asset, and the Quarantine File window displays the possible failure cause. To resolve the issue, click Retry to successfully quarantine the asset.

Following are some of the remediation request failure causes:

  • Input File is already deleted: The input file does not exist on the endpoint
  • Agent Response Timed Out: If the Quarantine Asset request has been running (In Progress status) for more than 10 minutes, the Status column displays the instance as Agent response timed out. You can perform the action again after the timeout. The event remediation timeout is 5 minutes. 
  • Error: Unable to quarantine the file: The file or file path is restricted or protected for any delete or move operation.
  • Error: Process does not exist: This error message occurs when the remediated process is not running anymore on the endpoint or is in the terminated state. 
  • Quarantine a file does not exist: The requested file is unavailable at the endpoint. 

The following screenshot is an example of the Agent Response Timed Out:

Quarantine File window with possible failure cause.

© 2024 Qualys, Inc. All rights reserved. Privacy Policy.