topic Re: Retrospective Quarantine Attempt Failed alerts in Endpoint Security

Retrospective Quarantine Attempt Failed alerts

pavan1989 — Mon, 09 Nov 2020 08:40:25 GMT

Hello,

We are observing huge sipke in Retrospective Quarantine Attempt Failed alerts from past 2 days. Also, in the Event types not showing files affected. Could anyone please suggest what could be the issue.

Re: Retrospective Quarantine Attempt Failed alerts

ckuwajima — Mon, 09 Nov 2020 15:02:19 GMT

My experience with retrospective quarantine attempt failed events is that I could not locate the culprit file anywhere in the target system.

In my case, every instance was a file in temporary file directory, probably deleted by OS or application, long before AMP flagged as a compromise.

Re: Retrospective Quarantine Attempt Failed alerts

DaphneG — Mon, 09 Nov 2020 19:38:52 GMT

@pavan1989, is it happening to one machine only? @ckuwajima is right, it usually happens when the file it's trying to quarantine is no longer found in the same location it was found by the connector originally. But I can't explain the spike without details and logs. The empty file info is strange too.

Please open a TAC case so it can be investigated.

Re: Retrospective Quarantine Attempt Failed alerts

pavan1989 — Tue, 10 Nov 2020 04:20:08 GMT

Hello @DaphneG

It's showing for all the machines when I see in the event type for the compromised machine the file is empty.

Re: Retrospective Quarantine Attempt Failed alerts

pavan1989 — Tue, 10 Nov 2020 05:28:41 GMT

Hello @DaphneG and @ckuwajima

When I click on File Analysis for the same alert I am observing an error as Tsv Not Enabled Html. Could you please guide me what could be the issue.

Re: Retrospective Quarantine Attempt Failed alerts

ckuwajima — Tue, 10 Nov 2020 12:01:04 GMT

Never saw such problem and do not have deep understanding of AMP for Endpoints. You'd better open a TAC case as @DaphneG said.