Use Quarantine to its Full Potential

[hjlbx]

This method minimizes risk... simple , yet effective, way to deal with new malicious files that vendors have not added to signature database - yet.

If your AV has the capability to manually add a file to Quarantine and it can re-scan quarantined objects:

1. Add file to Quarantine

2. Keep it there for two weeks

3. If after quarantine period there is no signature detection, it is probably safe to restore the file

Few people use it... perceived inconvenience and impatient.

In my experience it does work...

 

[Alexstrasza]

The most important use of Quarantine is that the malware material can be of use to researchers later (especially in the case of ransomware - see PClock).

Emsisoft products automatically rescan Quarantine when you update it, so it's not necessary if you use EAM/EIS.

Also in the case of #3: If you think it's malware, submit it to the vendor instead of just let it sit there. Malware potential won't change regardless of how long you let it sit there, you know

 

[tallorder]

Hmmmmm, I didn't know that a quarantined item can be returned. I thought once it jailed, always jailed...

 

[Alexstrasza]

Hmmmmm, I didn't know that a quarantined item can be returned. I thought once it jailed, always jailed...

That's not the case - Quarantine only stores the file in a special format to isolate it. If the file is checked later and found to be clean, then you can restore it

 

[hjlbx]

Hmmmmm, I didn't know that a quarantined item can be returned. I thought once it jailed, always jailed...

Most all AV allow you to restore a detected file.

Not all AV allow you to manually add a file to quarantine. Kaspersky, for example, user cannot add file to quarantine manually.

 

[Deleted member 2913]

Eset gives the option to manually quarantine.
Eset rescans the quarantine after update & restores fps.

 

[jamescv7]

Quarantine is a better option because some viruses/malware can turned out to be FP and we need that vital file in order to determine if its fully safe and can return to the normal operation.

Its just same in real life, when a person jailed he/she finish the imprisonment term then that's the time to get out on the jail.

 

[Atlas147]

Personally I think that the best way is still to send the file itself to the AV vendors for analysis, rather than keeping it in quarantine for 2 weeks because it might be that the vendors do not add the signature because of low prevalence so in the end you might still get infected. I think if you do not run the suspicious file there is no way for the malware to infect your system.