Quarantine 🟢 Protection

A quarantine is a security measure that consists of isolating a suspect element (infected file or material, e-mail from phishingpotentially malicious program or system, etc.) in a isolated and secure area of the system to prevent it from causing damage to the rest of the system or network.

This isolated zone is designed to prevent the quarantined item from executing, spreading or interacting with the rest of the system or network. It is a preventive and reactive security measure.

©Alexandre SALQUE/ORSYS

🎯 Quarantine objective

• Containing the threat : the main objective is to prevent malicious software or an infected file from causing further damage. Isolating the threat limits its ability to spread to other files, systems or users.
• Analysing the threat : Quarantine keeps a suspicious item safe so that it can be analysed in more detail. Security experts can examine the quarantined file to determine whether it really is a threat, what type of threat it is, and how to neutralise it completely.
• Neutralising the threat If an item is confirmed as malicious, it can be safely removed or neutralised, without the risk of infecting other parts of the system.
• Reducing false positives : sometimes, security software can wrongly identify a legitimate file as being malicious (this is known as a "false positive"). Quarantine allows suspicious files to be put on hold without being deleted immediately. If, after analysis, the file is found to be safe, it can be restored to its original location. If it is a real threat, it can be safely deleted.
• Prevent future infections: By understanding how a threat was detected and quarantined, security teams can strengthen their defences and put in place measures to prevent similar attacks in the future.

👉 Types of quarantine

• File quarantine isolation of suspicious files (e.g. attachments, downloads)
• Quarantine processes Some intrusion detection systems (IDS) or Intrusion Prevention System (IPS) can quarantine processes that appear to be behaving abnormally or maliciously
• Quarantine e-mails blocking dubious emails or emails containing links/phishing.
• Network quarantine Isolating an infected network segment (e.g. to limit the number of ransomware).
• Quarantaine d'appareils blocking a compromised device until it has been disinfected.

How it works

When an item is quarantined, the security system can take a number of actions:

• Moving the file : the file is often moved to a specially designated quarantine directory. This directory is usually protected and inaccessible to normal system processes.
• Encryption : In some cases, the quarantined file can be encrypted to ensure that it cannot be executed accidentally.
• Changing permissions : the file's permissions can be modified to prevent it from being executed.
• Removing network access : if an entire device or system is quarantined, it can be disconnected from the network to prevent communication with other devices.

📊 Statistics and figures

• 95 % of companies use quarantine mechanisms to counter malware (Ponemon Institute, 2023).
• On average, 500 files per month are quarantined in a medium-sized company (Verizon DBIR, 2023).
• Quarantine systems reduce incident response time by 60 % (Gartner, 2022).
• A malware attack avoided thanks to quarantine saves up to 2.6 million dollars in potential costs (IBM Cost of a Data Breach, 2023).