Retrospective Quarantine Attempt Failed alerts

pavan1989 · ‎11-06-2020

Hello,

We are observing huge sipke in Retrospective Quarantine Attempt Failed alerts from past 2 days. Also, in the Event types not showing files affected. Could anyone please suggest what could be the issue.

ckuwajima · ‎11-09-2020

My experience with retrospective quarantine attempt failed events is that I could not locate the culprit file anywhere in the target system.

In my case, every instance was a file in temporary file directory, probably deleted by OS or application, long before AMP flagged as a compromise.

DaphneG · ‎11-09-2020

@pavan1989, is it happening to one machine only? @ckuwajima is right, it usually happens when the file it's trying to quarantine is no longer found in the same location it was found by the connector originally. But I can't explain the spike without details and logs. The empty file info is strange too.

Please open a TAC case so it can be investigated.

pavan1989 · ‎11-09-2020

Hello @DaphneG

It's showing for all the machines when I see in the event type for the compromised machine the file is empty.

pavan1989 · ‎11-09-2020

Hello @DaphneG and @ckuwajima

When I click on File Analysis for the same alert I am observing an error as Tsv Not Enabled Html. Could you please guide me what could be the issue.

ckuwajima · ‎11-10-2020

Never saw such problem and do not have deep understanding of AMP for Endpoints. You'd better open a TAC case as @DaphneG said.