Automated response: quarantining a file
Warning
You can't revert an automated response. Sophos strongly recommends testing automated responses using dry runs before you turn them on in a production environment. See dry runs.
For the policies that support quarantine responses specify responseAction: quarantine.
A quarantine response action is performed quarantining the target file into the /.runtimedetections-quarantined/ directory. When the files are moved into the quarantined directory they are renamed $ALERT_UUID-$ORIGINAL_FILENAME as they are moved in.
The following example demonstrates this applied to a File Policy:
policy: file
responseAction: quarantine
enabled: true
alertMessage: Blocklisted File Created
comments: Example using the file policy
priority: High
rules:
- match filePath == "/etc/*"
- default ignore
timeout: 10
Quarantining a file can fail. For example, the file may no longer be available on the file system by the time Sophos Linux Sensor processes the event. The following JSON is a truncated example alert for this configuration in a case where the file could not be quarantined:
"notifications": [
{
"timestamp": "2019-04-17T20:24:57.721065524Z",
"name": "File Policy Example",
"uuid": "b5659bb6-4aeb-4d03-9a15-deaf506cef6d",
"message": "The program \"/usr/bin/touch\" created the file \"/etc/pwn\", which violated the \"File Policy Example\" File Policy. The quarantine response action was not successful.",
"message_fields": {
"file_path": "/etc/pwn"
}
},
{
"timestamp": "2019-04-17T20:24:57.721065524Z",
"name": "File Policy Example",
"uuid": "b5659bb6-4aeb-4d03-9a15-deaf506cef6d",
"message": "unable to open original path /etc/pwn: open /etc/pwn: no such file or directory",
"message_fields": {
"action_type": "quarantine",
"action_target_type": "file",
"action_result": "not successful",
"action_result_details": "open /etc/pwn: no such file or directory"
}
}
],