cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4473
Views
11
Helpful
2
Replies

AMP for endpoints: Request a file which is already quarantined

Podman
Level 1
Level 1

Hi Team,

 

Is it possible to download a file that has already been quarantined?

The file is malicious and I don't want to restore it on the user host before to download it.

 

Thanks

1 Accepted Solution

Accepted Solutions

dkrull
Cisco Employee
Cisco Employee

Greetings Podman,

Yes, this is possible. You can perform a File Fetch which will place the file into the File Repository under Analysis. You will need to make sure you have two factor authentication (2FA) enabled for this to work. Once enabled all you need to do is find the file you wish to request either via the Events under Analysis or by searching the SHA and from the context menu (the drop-down arrow next to the SHA) you can perform the fetch. If it is a Threat Detected and Quarantine event you should also be able to find it via the Dashboard under Significant Compromise Artifacts.

All files downloaded from the File Repo will be zipped and password protected.

Dmitri Krull
Technical Marketing Engineer - Endpoint Security
dkrull@cisco.com
SSCP - 743085

View solution in original post

2 Replies 2

dkrull
Cisco Employee
Cisco Employee

Greetings Podman,

Yes, this is possible. You can perform a File Fetch which will place the file into the File Repository under Analysis. You will need to make sure you have two factor authentication (2FA) enabled for this to work. Once enabled all you need to do is find the file you wish to request either via the Events under Analysis or by searching the SHA and from the context menu (the drop-down arrow next to the SHA) you can perform the fetch. If it is a Threat Detected and Quarantine event you should also be able to find it via the Dashboard under Significant Compromise Artifacts.

All files downloaded from the File Repo will be zipped and password protected.

Dmitri Krull
Technical Marketing Engineer - Endpoint Security
dkrull@cisco.com
SSCP - 743085

Thanks Dmitri

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: