Adds information about canary files and the quarantine process for ma…

…licious files (elastic#3398) * first draft, adds content * Update docs/getting-started/configure-integration-policy.asciidoc * Update docs/getting-started/configure-integration-policy.asciidoc * adds details about linux and macos quarantined folder locations * fixes typo, updates organization * Update docs/getting-started/configure-integration-policy.asciidoc Co-authored-by: Nastasha Solomon <[email protected]> * Update docs/getting-started/configure-integration-policy.asciidoc Co-authored-by: Nastasha Solomon <[email protected]> * Update docs/getting-started/configure-integration-policy.asciidoc Co-authored-by: Nastasha Solomon <[email protected]> * Update docs/getting-started/configure-integration-policy.asciidoc Co-authored-by: Nastasha Solomon <[email protected]> * incorporates Joe's feedback * Update docs/getting-started/configure-integration-policy.asciidoc * Update docs/getting-started/configure-integration-policy.asciidoc * Update docs/getting-started/configure-integration-policy.asciidoc * minor reorg --------- Co-authored-by: Nastasha Solomon <[email protected]>
dvdciprian · Aug 9, 2023 · 2d26bc5 · 2d26bc5
1 parent d84dd83
commit 2d26bc5
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/docs/getting-started/configure-integration-policy.asciidoc b/docs/getting-started/configure-integration-policy.asciidoc
@@ -68,6 +68,17 @@ Malware protection also allows you to manage a blocklist to prevent specified ap
 extending the list of processes that {elastic-defend} considers malicious. Use the **Blocklist enabled** toggle
 to enable or disable this feature for all hosts associated with the integration policy. To configure the blocklist, refer to <<blocklist>>.
 
+When *Detect* is enabled for malware protection, {agent} will quarantine any malicious file it finds. Specifically {agent} will remove the file from its current location, encrypt it with the encryption key `ELASTIC`, move it to a different folder, and rename it as an ID string, such as `318e70c2-af9b-4c3a-939d-11410b9a112c`.
+
+The quarantine folder location varies by operating system:
+
+- macOS: `/System/Volumes/Data/.equarantine`
+- Linux: `.equarantine` at the root of the mount point of the file being quarantined
+- Windows - {agent} versions 8.5 and later: `[DriveLetter:]\.quarantine`, unless the files are from the `C:` drive. These files are moved to `C:\Program Files\Elastic\Endpoint\state\.equarantine`.
+- Windows - {agent} versions 8.4 and earlier: `[DriveLetter:]\.quarantine`, for any drive
+
+To restore a quarantined file to its original state and location, <<add-exceptions, add an exception>> to the rule that identified the file as malicious. If the exception would've stopped the rule from identifying the file as malicious, {agent} restores the file.
+
 [role="screenshot"]
 image::images/install-endpoint/malware-protection.png[Detail of malware protection section.]
 
@@ -89,6 +100,8 @@ will **not** block ransomware. You must pay attention to and analyze any ransomw
 * **Prevent** (Default): Detects ransomware on the host, blocks it from executing,
 and generates an alert.
 
+When ransomware protection is enabled, canary files placed in targeted locations on your hosts provide an early warning system for potential ransomware activity. When a canary file is modified, Elastic Defend immediately generates a ransomware alert. If *prevent* ransomware is active, {elastic-defend} terminates the process that modified the file.
+
 Select **Notify user** to send a push notification in the host operating system when activity is detected or prevented. Notifications are enabled by default for the *Prevent* option.
 
 TIP: Platinum and Enterprise customers can customize these notifications using the `Elastic Security {action} {filename}` syntax.