cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6325
Views
5
Helpful
3
Replies

Threat Quarantined

phonehome
Level 1
Level 1

We had a threat detected (malicious docx file) and AMP indicates it was quarantined successfully but the file remained in the original location. Shouldn't AMP be removing the file? How can I figure out why it was not removed?

 

Also, this particular file has been sitting in this location since 2016. AMP has performed many scans on this machine. Why is this file all of a sudden being flagged?

 

Thanks

3 Replies 3

luis_cordova
VIP Alumni
VIP Alumni

Hi @phonehome ,

 

I hope this response to a community discussion can help you a bit:

https://community.cisco.com/t5/advanced-threats/will-amp-for-endpoint-remove-malware-or-just-quarantine/td-p/3721454

 

Re: Will AMP for Endpoint remove Malware or just quarantine?

It will not remove malware if it installed. What AMP does is hopefully get the file before it is executed and it will quarantine. So if the user downloads a malicious executable and puts in their Documents folder, AMP will detect it and quarantine it to its own folder. If it still is marked malicious after analysis it will stay in that folder. After 30 days it is supposed to be deleted, but I have never been able to confirm that 100% as far as time frame. Personally, I would rather have a shorter time frame. If it is determined to not be malicious within that 30 days, it will be restored to its original location.

If the user clicks on the executable and installs the malware, then no, AMP does not remove that. It will hopefully prevent it from running in the first place.

 

Regards

This does not apply to my situation. There is no malware installed on the device. I want to know why AMP flagged a file as a threat and said it was quarantined but the file remains in the location.

The file was likely marked as malicious due to a signature update.  It may be a False Positive but we would need more information to know for sure.  As for why the file is still there, again we would need more information.  I suggest opening a TAC case and providing them a Diagnostic file from the endpoint so they can investigate.  

 

Thanks,
Matt

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: