Quarantine an Asset

In case of any malicious event, the Quarantine Asset feature restricts the infected host machine from performing any network communication. You can quarantine an asset if its agent version is 4.9.0 and above. You can Quarantine an Asset from the Incidents or Asset tab.

Note: This feature is only available for the Windows assets.

Quarantine an Asset from the Incidents tab

Quarantine an Asset from the Assets tab

Quarantine Asset Configuration from the Configuration tab

Release an Asset from the Assets tab

Release an Asset from the Incidents tab

Quarantine an Asset from the Incidents tab

To quarantine an asset based on the incident description, perform the following steps:

1. Click the Incident description that you want to quarantine.

2. In the Summary section, click Quarantine Asset.

Quarantine Asset

3. In the Quarantine Asset window, add your comments. Optionally, you can toggle Allowed Applications and add the application path you prefer to be accessible while quarantining the asset. Applications listed in the Quarantine Asset Configuration will be applicable in the Allowed Applications, if this toggle is enabled.

To add an application, enter a valid application path in the space provided and click Add.

Add Application Path

To remove an application, click the delete icon against the application path.

Delete Application Path

4. Click Execute Response

Quarantine Asset Window

A notification Quarantine Asset request sent successfully. View Request Status is generated.

Click the View Request Status to follow the asset quarantine status.

Quarantine Asset Window

Once the asset is successfully quarantined the following status is displayed:

Quarantine Asset Successful Status

Quarantine an Asset from the Assets tab

To quarantine an asset from the Assets tab, perform the following steps:

1. In the Assets tab, select the Asset that you want to quarantine. The Agent version should be 4.9.0 and above

2. From the Quick Actions menu, click Quarantine Asset

Quarantine Asset Window

3. In the Quarantine Asset window, add your comments. Optionally, you can toggle Allowed Applications and add the application path you prefer to be accessible while quarantining the asset. Applications listed in the Quarantine Asset will be applicable in the Allowed Applications, if this toggle is enabled.

To add an application, enter a valid application path in the space provided and click Add.

Add Application Path

To remove an application, click the delete icon against the application path.

Delete Application Path

4. Click Execute Response

Quarantine Asset Window

A notification Quarantine Asset request sent successfully. View Request Status is generated.

5. Click the View Request Status to follow the asset quarantine status.

Quarantine Asset Window

A quarantined asset will have the Quarantine Asset Icon icon displayed.

Quarantine Asset Window

The Quarantine Asset Icon icon signifies the asset is in progress state.

Quarantine Asset is WIP

Quarantine Asset Configuration from the Configuration tab

From the Configurations tab, you can white list the applications that will be allowed while the asset is quarantined.

Perform the following steps to white list applications for the Quarantined asset:

1. In the Configuration tab, select Quarantine Asset

2. Toggle Allowed Applications

3. In the Add Applications field, provide the complete path of the application. You can provide environmental variables in the field. Wild cards inputs are not supported.

Quarantine Asset is WIP

4. Click Apply.

Note: To allow the Qualys Endpoint protection, add the following paths:

- C:\Program Files\Qualys\QualysEPP\EPUpdateService.exe

- C:\Program Files\Qualys\QualysEPP\downloader.exe

- C:\Program Files\Qualys\QualysEPP\EPSecurityService.exe

- C:\Program Files\Qualys\QualysEPP\ephost.integrity.legacy.exe

- C:\Program Files\Qualys\QualysEPP\EPConsole.exe

- C:\Program Files\Qualys\QualysEPP\EPIntegrationService.exe

- C:\Program Files\Qualys\QualysEPP\EPProtectedService.exe

- C:\Program Files\Qualys\QualysEPP\bdredline.exe

Release an Asset from the Assets tab

To release a quarantined asset, perform the following steps:

1. In the Assets tab, select the quarantined asset. From the Quick Actions menu, select Release Asset.

Release Quarantine Asset

2. In the Release Asset window, add your comments.

Release Asset Window

3. Click Execute Response.

A notification Release Asset request sent successfully. View Request Status is generated.

4. Click the View Request Status to follow the release asset status.

Release Asset Notification

Release an Asset from Incidents tab

To release a quarantined asset, perform the following steps:

1. In the Incidents tab, select the required incident description of a quarantined asset.

Incident Description of a Quarantined Asset

2. In the Summary tab, click Release Asset.

Release Asset from Incident tab

3. In the Release Asset window add your comments.

Release Asset Window

4. Click Execute Response.

A notification Release Asset request sent successfully. View Request Status is generated.

5. Click the View Request Status to follow the release asset status.

Release Asset Notification