QUARANTINE FILES Flashcards
How to apply options that are required to manage quarantine files?
-Enabling Quarantine:
1.Find host’s prevention policy in:
Endpoint Security > Configuration > Prevention Policies
2.Find entry with a type of Next Gen Anti Virus and a category of Quarantine – click Enable All.
3.Recommend setting anti malware prevention levels to Moderate and NOT use other antivirus solutions
-Can review and take action on quarantined directory when monitoring detections
**CS Falcon registers with Windows Security Center, disabling Windows Defender.
Before configuring quarantine what must be done first?
-Must FIRST enable quarantining on a prevention policy
Where are quarantine files located on a Mac host?
-Mac Hosts:
/Library/Application Support/CrowdStrike/Falcon/Quarantine
Where are quarantine files located on a Windows host?
-Windows Hosts:
\Windows\System32\Drivers\CrowdStrike\Quarantine
What does the Falcon Sensor only quarantine?
-Binary files and PS files
What happens if you disable quarantine prevention?
-Files will be quarantined on host
-Any files previously quarantined files remain quarantined
**Does not apply to: Exploit Mitigation, Ransomware Exploitation Behavior, and Lateral Movement/Credential Access
When are quarantined files deleted from the host?
-Quarantined files are deleted from host after 30 days
**Can release files to prevent them from being deleted
When are quarantined files deleted from the cloud?
-Files are deleted from the cloud after 90 days.
If you have files you don’t want to be quarantined, what needs to be done?
-An Exclusion needs to be set up
How does the Falcon Sensor quarantine suspicious files?
-Falcon sensor can quarantine suspicious files based on prevention policies
What happens when a Falcon Sensor detects a suspicious file attempting to run?
-The file is encoded, renamed, and moved into a quarantine directory on host
