Quarantine (Endpoint)
What is Quarantine (Endpoint)?
Quarantine (Endpoint)An endpoint security action that moves a suspected-malicious file out of its original location into a controlled, neutered store so it cannot execute but can still be analyzed or restored.
Quarantine is the historical response action that AV, NGAV, and EDR products take when a file is convicted as malicious. The agent removes the file from disk (or denies further access), encrypts it with a key only the agent knows, and stores it in a protected directory — for example, ProgramData\Microsoft\Windows Defender\Quarantine on Windows or /Library/Application Support/CrowdStrike on macOS — together with metadata about the detection. Defender, ESET, CrowdStrike, SentinelOne, and Sophos all expose centralised quarantine consoles where administrators can review, release after triage, or submit samples to the cloud lab. Quarantine differs from endpoint isolation: it neutralises a single file while isolation severs the whole host. Both are commonly orchestrated by SOAR playbooks during incident response.
● Examples
- 01
Microsoft Defender quarantining a downloaded macro-laden Word document and storing the encrypted copy for later analyst review.
- 02
ESET Inspect releasing a quarantined PDF that was wrongly flagged as Bredolab after analyst triage.
● Frequently asked questions
What is Quarantine (Endpoint)?
An endpoint security action that moves a suspected-malicious file out of its original location into a controlled, neutered store so it cannot execute but can still be analyzed or restored. It belongs to the Defense & Operations category of cybersecurity.
What does Quarantine (Endpoint) mean?
An endpoint security action that moves a suspected-malicious file out of its original location into a controlled, neutered store so it cannot execute but can still be analyzed or restored.
How does Quarantine (Endpoint) work?
Quarantine is the historical response action that AV, NGAV, and EDR products take when a file is convicted as malicious. The agent removes the file from disk (or denies further access), encrypts it with a key only the agent knows, and stores it in a protected directory — for example, ProgramData\Microsoft\Windows Defender\Quarantine on Windows or /Library/Application Support/CrowdStrike on macOS — together with metadata about the detection. Defender, ESET, CrowdStrike, SentinelOne, and Sophos all expose centralised quarantine consoles where administrators can review, release after triage, or submit samples to the cloud lab. Quarantine differs from endpoint isolation: it neutralises a single file while isolation severs the whole host. Both are commonly orchestrated by SOAR playbooks during incident response.
How do you defend against Quarantine (Endpoint)?
Defences for Quarantine (Endpoint) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Quarantine (Endpoint)?
Common alternative names include: File quarantine, Malware quarantine, Endpoint quarantine.
● Related terms
- defense-ops№ 050
Antivirus (AV)
Endpoint software that detects and removes malicious files using signature databases, file scanning, and basic heuristics — the historical foundation of endpoint security.
- defense-ops№ 725
Next-Generation Antivirus (NGAV)
Endpoint protection that augments signature scanning with machine-learning models, behavioral analytics, and exploit prevention to stop unknown and fileless threats.
- defense-ops№ 371
EDR (Endpoint Detection and Response)
An endpoint security technology that continuously records process, file, registry and network activity to detect, investigate and respond to threats on hosts.
- defense-ops№ 381
Endpoint Isolation
An EDR response action that severs a compromised host's network connectivity except to the security tooling, so attackers cannot move laterally while responders investigate.
- forensics-ir№ 524
Incident Response
The organised process of preparing for, detecting, analysing, containing, eradicating, and recovering from cyber security incidents, then capturing lessons learned.
- forensics-ir№ 650
Malware Analysis
The structured study of a malicious sample to understand its functionality, origin, indicators of compromise, and impact on affected systems.