Forum Discussion
Recovering Quarantined File without Restoring
Hello Microsoft Community,
I have been exploring the Defender for Endpoint API and noticed that it mentions the ability to fetch copies of files associated with alerts using a LiveResponse request using (GetFile). However, I've observed that for some alerts, Microsoft Defender quarantines the associated files. Is there a way to obtain a copy of a quarantined file or get the file itself without restoring it? Additionally, is there a way to determine if a file associated with an alert has been quarantined through the API, rather than manually logging into the Microsoft Defender for Endpoint portal?
I understand there are two common methods for restoring a file from quarantine: through the Microsoft Defender for Endpoint portal or via the command line. Both methods are detailed here: https://learn.microsoft.com/en-us/defender-endpoint/respond-file-alerts#restore-file-from-quarantine. My concern is that restoring the file will cause Defender to quarantine it again, resulting in a new alert for the same file.
In summary, is there a way to retrieve a copy of a quarantined file or the file itself without restoring it? And how can I know whether or not has been quarantined, by using the Microsoft Defender For Endpoint API or other Microsoft based API.
Thank you!
6 Replies
micheleariis I can download copies of the quarantined files from the portals, but I am trying to see if there is a way to get a copy of the quarantined files programmatically without restoring the quarantined file back on the machine.
$fileId = "FILE_ID_TO_DOWNLOAD" # The ID of the file associated with the alert
$deviceId = "DEVICE_ID_ASSOCIATED"$downloadUrl = "https://api.securitycenter.microsoft.com/api/machines/$deviceId/files/$fileId"
$response = Invoke-RestMethod -Method Post -Uri $downloadUrl -Headers $headers
