During a threat investigation, time is of the essence. Being able to move quickly and get the information needed to assess the situation can dramatically help to reduce the time to remediation and limit the scope of an attack.
Today, we are excited to offer a new feature that gives security teams the ability to download quarantined files and expands the scope of sample submission to include files that are quarantined on your endpoints. This feature will help Security Admins and SecOps more efficiently investigate threats as they’ll be able to download a quarantined file directly without needing to get end users involved – helping to save critical minutes, if not hours during an investigation.
The download quarantine files feature will be turned on by default in Microsoft 365 Defender.
Files that have been quarantined by Microsoft Defender Antivirus or your security team will be saved in a compliant way according to your sample submission configurations. Your security team can then download the files directly from the file’s detail page via the Download file button.
1 Screenshot of Microsoft 365 Defender showing a file page with the ”Download file” option available.
The file will be saved in your ‘Downloads’ folder:
2 Screenshot of file explorer showing a password protected zip file that has been downloaded from quarantine.
If you want to find a specific quarantined file, there are a few places in Microsoft 365 Defender you can look:
Collecting quarantined files
Users might be prompted to provide consent before the quarantined file is collected, depending on your sample submission configuration. If sample submission is turned off or the end user declines to share the file, the file will not be collected. A quarantined file will only be collected once per organization.
This feature is available to customers in public preview. If you have not yet opted in, we encourage you to turn on preview features so that you can try this out today.
Turning off the download quarantined file setting
Having this setting turned on can help security teams examine potentially bad files and investigate incidents quickly and in a less risky way. However, if you need to turn this setting off, go to Settings > Endpoints > Advanced features and toggle “Download quarantined files” Off. See Configure advanced features in Microsoft Defender for Endpoint | Microsoft Docs.
3 Screenshot of Microsoft 365 Defender showing the Advanced features page and the Download quarantined files button on the right
We’re excited to offer you this new feature and look forward to your feedback, let us know what you think in the comments or through the portal!
Microsoft Defender for Endpoint is an industry leading, cloud powered endpoint security solution offering endpoint protection, endpoint detection and response, vulnerability management, and mobile threat defense. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, sign up for a free Microsoft Defender for Endpoint trial today.
The Microsoft Defender for Endpoint team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.