How to restore a file from quarantine
This article describes how to restore a file quarantined by Cybereason to its original location.
The Cybereason platform moves quarantined files from their original locations and stores them to file vaults so that the files are not executed inadvertently.
Machine administrators can unquarantine files in the following ways:
- Manually restore the file to its original location (available for version 20.1.342 and below for Endpoint Protection Malops only)
- Select Unquarantine from the Cybereason UI (available for Endpoint Protection Malops in versions 20.1.343 and above and available for AI Hunting Malops in versions 20.1.120 and above) Note: In versions, 20.1.120 to 20.1.342 files from AI Hunting Malops can be unquarantined by either manually restoring them to their original location or by selecting Unquarantine from the Cybereason UI.
MANUALLY RESTORE FILE TO ORIGINAL LOCATION
Use the manual restore option when restoring files in Cybereason versions 20.1.342 and below, and for files associated with Endpoint Protection Malops.
To restore a quarantined file to its original location:
- Open the file_table.txt file from the Cybereason quarantine folder on the machine from where the file originated. The quarantine folder paths for each operating system are:
<code>Windows: C:\ProgramData\apv2\Quarantine <br>macOS: /usr/local/cybereason/Quarantine <br>Linux: /opt/cybereason/sensor/Quarantine
- Find the original file name in the text file, and note the vault name. For example, we can see in the image below that the file "httpd.exe" corresponds to vault file "vaultFile14943054973878028754.vol".
The value in between the vault path and the original file path is the time that the quarantine action took place, in epoch time, and may also prove useful in locating the correct line item in the text file.
- Copy the corresponding vault file from the Quarantine folder to its original folder, and restore the original file name and extension.