File isolation on hosts

Use the File isolation feature to isolate a 'suspicious' or 'malicious' file associated with a critical alert and prevent it from being used by the applications, processes, and users on the host. Isolating malicious files associated with critical alerts can help you reduce the potential impact of the files on the host and avoid lateral propagation to other connected hosts.

For example, isolate a file associated with Application Control alert flagged by a monitored rule, to stop running the file temporarily. Or, isolate a blocked file associated with a Trust-related alert flagged for a 'High Risk' application, for more analysis.

Before you begin

It is recommended that you know the following before you start using the File isolation feature.

  • Isolation process - File isolation triggers a job schedule for the relevant host. The schedule is completed, and the file is moved only if the host is 'Reachable' with the instance for the duration of the schedule. If the instance finds a host 'not Reachable', the file is moved when the host is 'Reachable'. You can see the statuses of the File isolation schedules on the Files > File Isolation page

  • Isolation folder - when a File isolation schedule is complete, the file is moved to the quarantine folder on the host. For example, on a Windows host, an isolated file is moved to the C:\Program Files\ColorTokens\Xprotect\quarantine folder. Isolated files are encrypted with AES 256-bit encryption. 

  • Post-isolation operations - you can perform the following operations on isolated files. 

    • Fetch and download file - isolated files can be fetched to the instance and downloaded locally for more analysis.

    • Restore file - isolated files can be restored to their original locations and original states.

    • Delete file - isolated files can be permanently deleted from the respective hosts.

  • 'Isolated' file availability - isolated files are available on the instance for more analysis, as per the Data archival settings for the instance. See the Settings > Configurations page for the settings. 

File Isolation page

All File isolation schedules triggered in the last 30 days are listed on the Files > File Isolation page. You can also perform some post-isolation operations on the isolated files from this page.  

Isolate a file on a host

File isolation schedules, once triggered, cannot be canceled. For unintended File isolations, you can restore the file to its original location from the Xprotect UI. 

Use File isolation cautiously to avoid downtime for applications that actively use the files you plan to isolate. Also, isolating system-related files can destabilize a host.

  1. Go to Alerts > Detailed Alerts.

  2. Click the 3-dot menu of an alert and click Isolate File in Host.

  3. From the Reason for Isolation drop-down list, select a reason.

  4. Enter some more details about why you want to isolate the file.

  5. Click Isolate File in Host.

    For a few seconds, you will see a confirmation message stating that the isolation is scheduled.

  6. Go to Files > File Isolation page to see the status (Scheduled, Success, Failed, or File Not Found) of the File isolation schedule.

  7. (Optional) Expand the schedule to see the following details - the original location of the isolated file and why the file isolation was initiated.

    • For 'Success' schedules, you will see the location of the isolation folder on the host.

    • For 'Failed' schedules, click View Reason(s) to see why the isolation failed and the potential fix to complete the schedule.

Post-isolation operations

Fetch isolated files

Fetch an isolated file from a host if you want to download it locally for more analysis. You will need the decryption key of the file to use the file offline.

Store the downloaded 'isolated' files in a secure location to avoid lateral propagation to other connected environments.

  1. On the Files > File Isolation page, click the 3-dot menu of a file and click Fetch Isolated File.

  2. Wait for the schedule to show 'Success' and click the Download icon in the File Name column.

  3. Copy the CLI of the decryption key and decrypt the downloaded file.

Restore isolated files

Restore Xprotect-isolated files only if your analysis of the files turns out to be a 'false positive'. Xprotect restores the files to their original locations and their original states.

  • On the Files > File Isolation page, click the 3-dot menu of a file and click Restore file.

Delete isolated files

Delete isolated files only when the applications, processes, or users using the files can normally work without the isolated files. An isolated file, when deleted, is permanently deleted from a host.

  • On the Files > File Isolation page, click the 3-dot menu of a file, and click Permanently Delete.

View operations history

See the list of the attempts of the post-isolation operations performed on the isolated files.  

  • On the Files > File Isolation page, click the 3-dot menu of a file and click View Operation History.
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.