Skip to content
Last update: 2022-06-20

Automated response: quarantining a file

Warning

Configuring automated response lets Sophos Linux Sensor dynamically respond to attacks. This includes options to perform preventative actions such as suspending or killing processes and containers, which can impact host functionality. Sophos strongly recommends testing automated responses using dry runs before turning them on in a production environment. See dry runs.

For the policies that support quarantine responses specify responseAction: quarantine.

A quarantine response action is performed quarantining the target file into the /.runtimedetections-quarantined/ directory. When the files are moved into the quarantined directory they are renamed $ALERT_UUID-$ORIGINAL_FILENAME as they are moved in.

The following example demonstrates this applied to a File Policy:

  policy: file
  responseAction: quarantine
  enabled: true
  alertMessage: Blocklisted File Created
  comments: Example using the file policy
  priority: High
  rules:
    - match filePath == "/etc/*"
    - default ignore
  timeout: 10

Quarantining a file can fail. For example, the file may no longer be available on the file system by the time Sophos Linux Sensor processes the event. The following JSON is a truncated example alert for this configuration in a case where the file could not be quarantined:

"notifications": [
    {
      "timestamp": "2019-04-17T20:24:57.721065524Z",
      "name": "File Policy Example",
      "uuid": "b5659bb6-4aeb-4d03-9a15-deaf506cef6d",
      "message": "The program \"/usr/bin/touch\" created the file \"/etc/pwn\", which violated the \"File Policy Example\" File Policy. The quarantine response action was not successful.",
      "message_fields": {
        "file_path": "/etc/pwn"
      }
    },
    {
      "timestamp": "2019-04-17T20:24:57.721065524Z",
      "name": "File Policy Example",
      "uuid": "b5659bb6-4aeb-4d03-9a15-deaf506cef6d",
      "message": "unable to open original path /etc/pwn: open /etc/pwn: no such file or directory",
      "message_fields": {
        "action_type": "quarantine",
        "action_target_type": "file",
        "action_result": "not successful",
        "action_result_details": "open /etc/pwn: no such file or directory"
      }
    }
  ],
Back to top