When a file is quarantined, it has been detected and isolated so that it can't harm your endpoints. The Quarantine page in Malwarebytes Nebula allows you to view, delete, or restore these items.
While Malwarebytes uses its best judgment whether a file is a threat, false positives are possible. You may also find items in Quarantine which are trusted files. Do not assume that the contents of Quarantine are either malicious or safe.
View and sort quarantine
The main area of the Quarantine screen shows the list of all quarantined threat data. Each column can be filtered to narrow the results. You can customize data in the results list in the following ways:
- Click Add / Remove Columns above the results list to choose which columns to display.
- Drag and drop certain column headers to the results bar to group data by those parameters.
- Use the filters in the column headers to view specific data.
- Hover your cursor over a column header to reveal a hamburger icon with options to pin and auto-size columns.
Click on a column filter icon ( ) to narrow the results. When clicking on the filter icon, the filter list at the top of the screen shows which filters are applied. Click on a filtered item to remove it, or Clear Filters to remove them all.
Click a threat name for details, or click an endpoint to jump to the details screen for that endpoint.
Expand quarantine details
Under the Name column, click one of the listed file names to view more details. In the Quarantine Details window, you can view the following information:
- Name: Click the name to open a glossary explanation of the detection.
- Category: The protection that was triggered by the detection.
- Type: The type of detection, such as a file or outbound connection.
- Location: The location of the detection on the endpoint.
- Detection ID: The detection identification used by Malwarebytes threat researchers.
- Endpoint: Click the endpoint name to go to the Overview page for the endpoint.
- Scanned At: Date and time when the scan occurred that found the detection.
- Quarantined At: Date and time when the detection was quarantined. Threats blocked by Real-Time Protection will not show the Quarantined At field.
- Reported At: Date and time when the quarantined detection was reported to the Nebula console.
- Scan ID: The identification for the scan that found the detection. Click the Scan ID to view the Scan Report for the effected endpoint.
While the Quarantine section shows all quarantined threats across your network, the actual threats remain in an encrypted state on the endpoints where they were found. The quarantine location is a predefined folder on your endpoints:
- Windows endpoints: C:\ProgramData\Malwarebytes\MBAMService\Quarantine
- Mac endpoints: /Library/Application Support/Malwarebytes/NCEP/Quarantine/
- Linux endpoints: /var/lib/mblinux/quarantine
You may perform the following actions on quarantined items from the console:
- Restore (Windows only): Moves the item from Quarantine to its original location on the endpoint. Use this for items known to be safe.
- Delete: Immediately and permanently destroys the file. This action is irreversible.
You may restore quarantined items on Mac endpoints by moving the file on the endpoint from Quarantine to the original location. This action not available from the console for Mac endpoints.
Return to the Malwarebytes Nebula platform Administrator Guide.