Solved: Re: Custom Detection

Diego Leitao · ‎07-15-2019

Hello!

I would like to know why when I use a custom detection to quarantine a file, that file won't go to the quarantine folder and doesn't show me that the file was quarantined.

Even when I try to open the file again, the AMP shows me "not quarantined"

So, is it possible to quarantine a file using Audit policy for instance?

Because looks like is not.

Ken Stieers · ‎07-15-2019

Did you add the Custom Detection to the policy under Management/Policies??

You create it under Outbreak Control, but it has to be added to the policies.

View solution in original post

Ken Stieers · ‎07-15-2019

Did you add the Custom Detection to the policy under Management/Policies??

You create it under Outbreak Control, but it has to be added to the policies.

Diego Leitao · ‎07-15-2019

Hi,

Yeah, I did it but didn't work in that time.

But I think it's another problem.

I'm facing today a problem of delay on AMP.

Some events were reported later. So I think that the manual quarantine didn't work because of that, maybe the event will be reported later.

Anyway, thanks for your help

Matthew Franks · ‎07-15-2019

You mentioned using an Audit Policy. The file won't be quarantined if you're using an Audit policy, you will just get a notification that it would have been quarantined if the policy was set up to do so.

Diego Leitao · ‎07-15-2019

So, is it not possible to manual quarantine a file if you are using an Audit policy?

I know that automatic quarantine in a Auditi policy doesn't work, but I thought that you could do that manually.