File action Skip Navigation

File action

File Actions provide different options for handling files detected by
CylancePROTECT Desktop
as either unsafe or abnormal.
Auto Quarantine with Execution Control
This feature quarantines or blocks the unsafe or abnormal file to prevent it from executing. Quarantining a file:
  • Renames the file with a .quarantine extension
  • Moves the file from its original location to one of the following quarantine directories:
    • For Windows:
    • For macOS:
      /Library/Application Support/Cylance/Desktop/q
    • For Linux:
  • The Access Control List (ACL) for the file is modified to prevent the file from being interacted with by the user.
Some malware is designed to drop other files in certain directories. This malware continues to do so until the file is successfully dropped.
CylancePROTECT Desktop
modifies the dropped file so it will not execute to stop this type of malware from continually dropping the removed file.
Make sure you test auto quarantine on a small number of devices before applying it to your production environment. This is so you can observe the test results and ensure that business-critical applications are not blocked at execution.
Enable Auto-Delete for Quarantined Files
This feature enables automatic deletion of quarantined files after a specified number of days. This applies to all devices assigned to the policy. The minimum number of days is 14, the maximum is 365.
When enabled, the agent automatically deletes these files after the designated time. The number of days starts when the file was first quarantined. This action is included in the agent log file for verification and the file is removed from the quarantine list in the agent UI. If this feature is not enabled, the quarantined files will remain on the device until the quarantined files are manually deleted.
When a device using agent 1420 (or lower) is upgraded to agent 1430 (or higher), files quarantined before the upgrade will start to count the number of days after the upgrade, and will be automatically deleted after the set number of days.
Auto Upload
Make sure that you enable Auto Upload for all available file types. If the agent finds a file that
has never analyzed before, it requests to upload the file for analysis.
CylancePROTECT Desktop
only uploads and analyzes unknown Portable Executable (PE) files. If the same unknown file is discovered on multiple devices in the organization,
CylancePROTECT Desktop
uploads one file only from a single device for analysis, not one file per device.