Manage quarantine in Nebula

When malicious files are detected and quarantined, the files and registry settings are copied and encrypted into a quarantine folder on the endpoint. The Quarantine page in Nebula is an index for each item on the endpoint and allows you to restore or delete detected files. Items stay in this list until they are manually restored or deleted from the page.

While Nebula uses its best judgment whether a file is a threat, false positives are possible. You may also find items in Quarantine that are legitimate. View detected items and cross-check the information to verify if the file is legitimate with other Threat Intelligence databases, such as VirusTotal using the SHA256 hash of the file.

On the left navigation menu, go to Monitor > Quarantine to view the list of all quarantined threat data. While this page shows all quarantined threats across your network, the actual threats remain encrypted on the endpoints where they were found. The quarantine location is a predefined folder on your endpoints:

• Windows endpoints: C:\ProgramData\Malwarebytes\MBAMService\Quarantine
• Mac endpoints: /Library/Application Support/Malwarebytes/NCEP/Quarantine/
• Linux endpoints: /var/lib/mblinux/quarantine

Manage quarantine

The following options are available in the Actions menu of the Quarantine page.

• Create Exclusions: Create exclusions on the selected quarantined items. Only Super Admins can create exclusions. For more information on exclusions, see Overview of exclusions in Nebula.
• Restore: Moves the item from Quarantine back to its original location on the endpoint. If the device you're restoring a quarantined file to is a USB device, it must be connected to the same endpoint it was quarantined from. Use this for items you know are legitimate.
• Delete: Submits a task to the endpoint to permanently delete the encrypted quarantined items. 
• Restore & Create Exclusion: Restore and create exclusions on the selected quarantined items. 

Quarantine data

The following columns are available on the Quarantine page:

• Threat name: Name of the quarantined threat.
• Category: Category of quarantined threat, such as malware or ransomware.
• Type: Type of threat, such as file or registry key.
• Endpoint: Endpoint the file was quarantined from.
• Location: File path of quarantined threat.
• Date: Date and time the threat was quarantined.
• Device: USB device the threat was quarantined from. 

Click Add / Remove Columns to choose which columns to display. 

Expand quarantine details

Under the Threat Name column, click one of the listed file names to view more details. In the Quarantine Details window, you can view the following information:

• Name: Click the name to open a glossary explanation of the detection.
• Category: The protection that was triggered by the detection.
• Type: The type of detection, such as a file or outbound connection.
• Location: The location of the detection on the endpoint.
• Detection ID:  The detection identification used by our threat researchers.
• Endpoint: Click the endpoint name to go to the Overview page for the endpoint.
• Scanned At: Date and time when the scan occurred that found the detection.
• Quarantined At: Date and time when the detection was quarantined. Threats blocked by Real-Time Protection will not show the Quarantined At field.
• Reported At: Date and time when the quarantined detection was reported to the Nebula console.
• Scan ID:  The identification for the scan that found the detection. Click the Scan ID to view the Scan Report for the affected endpoint.

Filter and sort data

Use the following features to filter and sort data on the Quarantine page:

• Drag and drop certain column headers to the results bar to group data by those parameters.
• Column pinning and auto-sizing: Next to a column header, click the filter button to display a checkbox list of different sub-filters you can apply. Click the filter  tab to pin or auto size for the selected column.
• Right-click menu: In the table, click and drag to select and highlight a section of the table. Right-click on your selected information to copy the cells and information.
• Select all: Click the checkbox next to the Threat name column header.

Click on a column filter icon to narrow the results. When clicking on the filter icon, the filter list at the top of the screen shows which filters are applied. Click on a filtered item to remove it, or Clear Filters to remove them all.