When dealing with potentially malicious files, a digital quarantine has the same goal as a physical one; isolating the infection can prevent it from spreading and compromising other healthy individuals. Once the potential threat is isolated, forensic analysis can be done to determine the exact cause or source of the threat that has been quarantined, however long it takes to complete the analysis. After the threat has been analysed, it can be released, neutralised, or removed depending on the conclusions of the analyst(s).
When malware is suspected in digital files, there are significant advantages to quarantining them instead of removing anything that is identified as a potential threat. The first is that the chance of misidentifying a harmless file as malicious (a false positive) can never be completely eliminated. If that file is permanently deleted, valuable data may be lost without the possibility of recovery. Quarantining the file instead allows for the possibility of restoring that file if it turns out not to be a threat.
A second advantage of quarantining a file instead of deleting it emerges when a real threat is identified. It is valuable to examine the file to determine its source; if the origin of the malware is identified either legal or technical action can be taken against that malicious actor. Forensic analysis can also find out more about the threat and use that information to identify or block similar threats that would not have been detected otherwise. This is especially true in the case of new and unique threats.
So what considerations should be made for file quarantine configuration?
When should the quarantine occur?
If files are being checked at the entry point to a secure network, for instance, quarantine can be used to hold onto any files that are potentially dangerous before they are allowed into the secure area. These files can then be analysed using an organisation's secure data workflow policies to determine whether they should be allowed entry, sanitised to remove embedded threats, held for further analysis or deleted. Because the file is being held in the quarantine, there is an opportunity to gather more information about the file if it is needed to make a final decision. The source of the file could potentially be queried for more data, or additional systems could be used (such as dynamic analysis engines) to help clarify whether the file should be allowed.
What do we do when threats are detected?