Network Share Quarantine
You can configure multiple quarantine profiles for different Network Share locations. Use different configurations to specify detection files with different levels to separate quarantine locations.
Quarantined files
When a file is quarantined, it creates two files in the quarantine folder:
-
A copy of the original file, and
-
A metadata file.
The metadata file provides information about FortiNDR's verdict of the malicious file, such as the virus name, path (URL), MD5 etc. You can refer to the meta file to understand why the file was moved or copied to the quarantine folder.
The metadata file uses the naming pattern <Network Share File ID>.meta. The file contains the following information:
- Network Share File ID
- Network Share ID
- Network Share Profile Name
- Scan Task ID
- File ID
- Filename
- URL
- MD5
- Detection Name
Example:
Network Share FileID: 351640
SID: 3 (Share ID)
JID: 44 (Job ID)
FileID: 1198941 (File ID)
File Name: sample.vsc
Device: testshared
URL: //172.16.2.100/shared2/2/sample.vsc
MD5: 31e06f25de8b5623c3fdaba93ed2edde
Virus Name: W32/Wanna.A!tr.ransom
DelOriginalFile: Success
Creating a quarantine profile
To create a quarantine profile:
- Go to Security Fabric > Network Share Quarantine.
- In the toolbar, click Create New. The New Quarantine Location window opens.
- Configure the quarantine profile mounting information.
Status Enable or Disable. Quarantine Name Enter a name for the quarantine profile Mount Type Select a Network Share protocol from the list. The following protocols are supported:
SMBv1.0
SMBv2.0
SMBv2.1
SMBv3.0
NFSv2.0
NFSv3.0
NFS v4.0
Server IP Enter the IP address for the Network Share.
Share Path Enter the path for the Network Share. Username Enter the username for the Network Share. Password Enter the password for the Network Share and then confirm the password. - (Optional) Select Keep Original File At Source Location.
Enabling Keep Original File At Source Location may affect the behavior of your Network Share profile. For information, see Combining network share and quarantine profiles.
- (Optional) In the Description field, enter a description of the profile.
Combining network share and quarantine profiles
The following table summarizes how enabling Keep Original File At Source Location affects the behavior of the quarantine and sanitize settings in a Network Share profile:
Keep Original File At Source Location | Effect |
Enable Quarantine for (Critical/High/Med/Low/Password Protected/Other risk) |
Effect |
---|---|---|---|
Enabled | Keeps the quarantine file in the source location. | Enabled |
|
Disabled | FortiNDR creates a placeholder file with <Filename>.quarantined in the original folder | Enabled |
|
You can use the Network Share Quarantine location for both the quarantine of malicious files as well the Move/Copy of clean files. However, we recommend creating different folders for clean and malicious files. |
Keep original file at source location |
Move/Copy clean files to sanitized location |
Effect |
---|---|---|
Enabled | Enabled |
|
Enabled/Disabled |
Disabled |
|
Disabled |
Enabled |
|
The Move operation involves copying and deleting files. FortiNDR can only delete files if it has sufficient permissions to do so. |