During a threat investigation, time is of the essence. Being able to move quickly and get the information needed to assess the situation can dramatically help to reduce the time to remediation and limit the scope of an attack.
Today, we are excited to offer a new feature that gives security teams the ability to download quarantined files andexpands the scope of sample submission to include files that are quarantined on your endpoints. This feature will help Security Admins and SecOps more efficiently investigate threats as they’ll be able to download a quarantined file directly without needing to get end users involved – helping to save critical minutes, if not hours during an investigation.
The download quarantine files feature will be turned on by default in Microsoft 365 Defender.
Files that have been quarantined by Microsoft Defender Antivirus or your security team will be saved in a compliant way according to your sample submission configurations. Your security team can then download the files directly from the file’s detail page via the Download file button.
1 Screenshot of Microsoft 365 Defender showing a file page with the ”Download file” option available.
The file will be saved in your ‘Downloads’ folder:
2 Screenshot of file explorer showing a password protected zip file that has been downloaded from quarantine.
If you want to find a specific quarantined file, there are a few places in Microsoft 365 Defender you can look:
Alerts - select the corresponding links from the “Description” or “Details” in the Artifact timeline
Search box - select File from the drop–down menu, and then enter the file name
Collecting quarantined files
Users might be prompted to provide consent before the quarantined file is collected, depending on your sample submission configuration. If sample submission is turned off or the end user declines to share the file, the file will not be collected. A quarantined file will only be collected once per organization.
Your organization uses Microsoft Defender Antivirus in active mode
3 Screenshot of Microsoft 365 Defender showing the Advanced features page and the Download quarantined files button on the right
We’re excited to offer you this new feature and look forward to your feedback, let us know what you think in the comments or through the portal!
Microsoft Defender for Endpoint is an industry leading, cloud powered endpoint security solution offering endpoint protection, endpoint detection and response, vulnerability management, and mobile threat defense. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, sign up for a free Microsoft Defender for Endpoint trial today.