04-02-2019 10:42 AM - edited 02-20-2020 09:08 PM
We had a threat detected (malicious docx file) and AMP indicates it was quarantined successfully but the file remained in the original location. Shouldn't AMP be removing the file? How can I figure out why it was not removed?
Also, this particular file has been sitting in this location since 2016. AMP has performed many scans on this machine. Why is this file all of a sudden being flagged?
Thanks
04-02-2019 12:33 PM
Hi @phonehome ,
I hope this response to a community discussion can help you a bit:
It will not remove malware if it installed. What AMP does is hopefully get the file before it is executed and it will quarantine. So if the user downloads a malicious executable and puts in their Documents folder, AMP will detect it and quarantine it to its own folder. If it still is marked malicious after analysis it will stay in that folder. After 30 days it is supposed to be deleted, but I have never been able to confirm that 100% as far as time frame. Personally, I would rather have a shorter time frame. If it is determined to not be malicious within that 30 days, it will be restored to its original location.
If the user clicks on the executable and installs the malware, then no, AMP does not remove that. It will hopefully prevent it from running in the first place.
Regards
04-03-2019 07:41 AM
This does not apply to my situation. There is no malware installed on the device. I want to know why AMP flagged a file as a threat and said it was quarantined but the file remains in the location.
04-03-2019 08:14 AM
The file was likely marked as malicious due to a signature update. It may be a False Positive but we would need more information to know for sure. As for why the file is still there, again we would need more information. I suggest opening a TAC case and providing them a Diagnostic file from the endpoint so they can investigate.
Thanks,
Matt
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide