- Product
Product Overview
Sophisticated security with unmatched simplicityCloud SIEM
Pre-configured detections across your environmentHoneypots
Deception technology to detect lateral movementEndpoint Visibility
Real-time monitoring with added detection & responseSecurity Reports
Data visualizations, compliance reports, and executive summariesAutomated Response
Detect, prioritize, and neutralize threats around the clockIntegrations
Cloud, on-prem, and open API connectionsXDR Platform
A complete view to identify risk, and things operational
- Pricing
- Why Blumira
Why Blumira
The Security Operations platform IT teams loveWatch A Demo
See Blumira in action and how it builds operational resilienceUse Cases
A unified security solution for every challengePricing
Unlimited data and predictable pricing structureCompany
Our human-centered approach to cybersecurityCompare Blumira
Find out how Blumira stacks up to similar security toolsIntegrations
Cloud, on-prem, and open API connectionsCustomer Stories
Learn how others like you found success with Blumira
- Solutions
- Partners
- Resources
Quarantine
A quarantine is the process of isolating a file suspected of being infected with a virus to a specific area of a storage device in order to prevent it from contaminating other files. The quarantine process is used when anti-virus software detects a problem and is unable to eliminate it with its current protocols, or when it is unsure whether or not the file is a known virus. If the user suspects that a file is infected but the virus is not detected by the software, he or she can enable the quarantine manually.
Anti-virus software often resorts to using a quarantine when it is unable to clean an infected file. Once the virus or file has been quarantined, it cannot interact with the system. It is advisable to delete suspected quarantined files as soon as possible.
There are anti-virus programs that automatically send a sample of the quarantined file through the Internet to be analyzed. The center that analyzes the sample then sends back a report regarding the detected threat. If it is a new virus, the center also creates and sends out an updated virus definition setting in order to eliminate the threat to the user’s computer or personal device
Frequently Asked Questions
What does quarantine mean in cybersecurity?
Quarantine is an endpoint security action that isolates a suspicious file by moving it to a restricted storage area where it cannot execute or interact with the rest of the system. The file is not deleted. It is preserved in a locked-down state so security teams can analyze it later, determine whether it is genuinely malicious, and recover it if it turns out to be a false positive. Quarantine is the default response for most antivirus and endpoint detection tools because it stops the immediate threat while preserving forensic evidence. Think of it as putting a suspicious package in a blast-proof room rather than throwing it away or ignoring it.
What is the difference between quarantine, isolation, and deletion?
These three actions address threats at different scopes. Quarantine targets a single file: the file is moved to protected storage where it cannot run but can be inspected or restored. Isolation targets an entire endpoint: the device is cut off from the network (it can still communicate with the security platform) to prevent lateral movement during an active incident. Deletion permanently removes a file from the system with no recovery option. The choice depends on your confidence level. Quarantine is the safest default because it preserves evidence and allows reversal. Isolation is for active incidents where you need to contain a compromised machine. Deletion is for confirmed malware where there is no forensic or recovery need.
When should I quarantine a file versus blocking it?
Quarantine when you are not 100% certain a file is malicious and want to preserve it for analysis. Block (prevent execution without relocating the file) when a policy rule matches a known-bad hash, certificate, or behavior pattern. In practice, most endpoint security tools quarantine automatically on first detection and then apply blocking rules for known threats going forward. Quarantine is also the better choice for zero-day detections, custom-built internal tools that trigger heuristic alerts, and files flagged by behavioral analysis rather than signature matching. If your endpoint tool blocks a legitimate business application, you have a production outage. If it quarantines instead, you can restore the file in minutes.
How does automated quarantine work?
When your endpoint protection software detects a suspicious file (through signature matching, behavioral analysis, or machine learning classification), it moves the file to a quarantine vault before the file can execute. The vault is a protected directory with restricted permissions that prevents the quarantined file from running, being accessed by other processes, or spreading. The original file path is recorded so the file can be restored to its exact location if needed. The endpoint agent sends an alert to the management console (and to your SIEM if integrated), where a security analyst or the vendor's operations team reviews the detection. With Blumira, endpoint alerts that reach the SIEM are triaged by the 24/7 SecOps team, who provide response guidance if further action is needed beyond the initial quarantine.
How do I handle false positives in quarantine?
False positives in quarantine are common and manageable. First, check the detection reason in your endpoint console. If the file was flagged by a generic heuristic or behavioral rule rather than a specific malware signature, it is more likely a false positive. Second, verify the file's source: was it downloaded from a trusted vendor, built internally, or came from an unknown origin? Third, submit the file hash to a multi-engine scanner like VirusTotal to see how many engines flag it. If only one or two engines detect it, it is likely a false positive. Once you confirm the file is safe, restore it from quarantine and add an exclusion for that specific file hash (not the file path, which can be abused by attackers). Document every exclusion so you can audit them periodically.
Can quarantined files still be dangerous?
A properly quarantined file cannot execute or cause damage. The quarantine vault encrypts or permission-locks the file so that no process, user, or scheduled task can run it. However, there are edge cases to be aware of. Some older or poorly implemented quarantine mechanisms simply rename the file or move it to a hidden directory without restricting execution permissions, which leaves it accessible. Also, if an attacker has admin-level access to the endpoint, they could potentially access the quarantine vault directly. The quarantine vault itself is only as secure as the endpoint agent managing it. This is why quarantine should be one layer in a defense-in-depth approach that includes network monitoring, log analysis, and identity controls alongside endpoint protection.