Blog Post

Microsoft Defender for Endpoint Blog
3 MIN READ

Download quarantined files now Generally Available

JuliHooper's avatar
JuliHooper
Icon for Microsoft rankMicrosoft
Jul 26, 2021

During a threat investigation, time is of the essence. Being able to move quickly and get the information needed to assess the situation can dramatically help to reduce the time to remediation and limit the scope of an attack.  

 

Today, we are excited to offer a new feature that gives security teams the ability to download quarantined files and expands the scope of sample submission to include files that are quarantined on your endpoints. This feature will help Security Admins and SecOps more efficiently investigate threats as they’ll be able to download a quarantined file directly without needing to get end users involved – helping to save critical minutes, if not hours during an investigation.  

 

The download quarantine files feature will be turned on by default in Microsoft 365 Defender. 

Files that have been quarantined by Microsoft Defender Antivirus or your security team will be saved in a compliant way according to your sample submission configurations. Your security team can then download the files directly from the file’s detail page via the Download file button.  

 

 

1 Screenshot of Microsoft 365 Defender showing a file page with the ”Download file” option available. 

 

The file will be saved in your Downloads folder: 

 

2 Screenshot of file explorer showing a password protected zip file that has been downloaded from quarantine. 

 

If you want to find a specific quarantined file, there are a few places in Microsoft 365 Defender you can look: 

  • Alerts - select the corresponding links from the “Description” or “Details” in the Artifact timeline 
  • Search box - select File from the drop–down menu, and then enter the file name 

Collecting quarantined files 

Users might be prompted to provide consent before the quarantined file is collected, depending on your sample submission configuration. If sample submission is turned off or the end user declines to share the file, the file will not be collected. A quarantined file will only be collected once per organization. 

Requirements 

  • Sample submission is turned on 
  • Devices have Windows 10 version 1703 or later, or Windows server 2016 or 2019 

 

This feature is available to customers in public preview. If you have not yet opted in, we encourage you to turn on preview features so that you can try this out today. 

 

Turning off the download quarantined file setting 

Having this setting turned on can help security teams examine potentially bad files and investigate incidents quickly and in a less risky way. However, if you need to turn this setting off, go to Settings Endpoints > Advanced features and toggle “Download quarantined files” Off. See Configure advanced features in Microsoft Defender for Endpoint | Microsoft Docs. 

 

 

 3 Screenshot of Microsoft 365 Defender showing the Advanced features page and the Download quarantined files button on the right 

 

We’re excited to offer you this new feature and look forward to your feedback, let us know what you think in the comments or through the portal! 

 

Microsoft Defender for Endpoint is an industry leading, cloud powered endpoint security solution offering endpoint protection, endpoint detection and response, vulnerability management, and mobile threat defense. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, sign up for a free Microsoft Defender for Endpoint trial today.  

 

The Microsoft Defender for Endpoint team 

Updated Oct 19, 2021
Version 4.0
  • ryan_oleary's avatar
    ryan_oleary
    Copper Contributor

    Hi JuliHooper 

     

    Any ideas on why we are getting the following error?.
    File was observed in last 30days and allows Windows Devices are version 22H2 which is newer than the windows 10 creators update

     

  • wlawn001's avatar
    wlawn001
    Copper Contributor

    Hi Juli, thanks for the update.  I do see that the feature is now enabled in our console.  We would rather see Microsoft deploy new preview features like this in a disabled state where possible.  This would allow us to deploy these changes in a more controlled manner.

  • Hi wlawn001 thanks for your comment.  We have determined that there is an issue with the feature being turned on by default and we are hoping to have a solution coming out soon.  Please note: This bug does not affect the functionality of the feature in any way.  We apologize for the inconvenience.  

     

    Follow up: The issue causing the feature to not be turned on by default has been addressed.  

  • wlawn001's avatar
    wlawn001
    Copper Contributor

    Your article states that the download quarantine files feature will be turned on by default.  It just hit our console and it is turned off.