cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1243
Views
10
Helpful
2
Replies
Podman
Beginner

AMP for endpoints: Request a file which is already quarantined

Hi Team,

 

Is it possible to download a file that has already been quarantined?

The file is malicious and I don't want to restore it on the user host before to download it.

 

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
dkrull
Cisco Employee

Greetings Podman,

Yes, this is possible. You can perform a File Fetch which will place the file into the File Repository under Analysis. You will need to make sure you have two factor authentication (2FA) enabled for this to work. Once enabled all you need to do is find the file you wish to request either via the Events under Analysis or by searching the SHA and from the context menu (the drop-down arrow next to the SHA) you can perform the fetch. If it is a Threat Detected and Quarantine event you should also be able to find it via the Dashboard under Significant Compromise Artifacts.

All files downloaded from the File Repo will be zipped and password protected.

Dmitri Krull
Technical Marketing Engineer - Endpoint Security
dkrull@cisco.com
SSCP - 743085

View solution in original post

2 REPLIES 2
dkrull
Cisco Employee

Greetings Podman,

Yes, this is possible. You can perform a File Fetch which will place the file into the File Repository under Analysis. You will need to make sure you have two factor authentication (2FA) enabled for this to work. Once enabled all you need to do is find the file you wish to request either via the Events under Analysis or by searching the SHA and from the context menu (the drop-down arrow next to the SHA) you can perform the fetch. If it is a Threat Detected and Quarantine event you should also be able to find it via the Dashboard under Significant Compromise Artifacts.

All files downloaded from the File Repo will be zipped and password protected.

Dmitri Krull
Technical Marketing Engineer - Endpoint Security
dkrull@cisco.com
SSCP - 743085

View solution in original post

Thanks Dmitri

Content for Community-Ad