1

I'm new to the role and my operational analyst left a few days before I started, I'm his manager, now it's just me. I'm familiar with the tooling but have never had to operate it myself.

I've had an alert from Defender for Cloud Apps confirming malware has been detected, the EDR has worked and the malware has been blocked. It's not been quarantined or removed from the host (unsure why) and it keeps attempting to decrypt credentials.

So far I've:

  • Seen the defender alert, and confirmed positive detection
  • Isolated the user's host
  • Disabled unsigned applications from running
  • Disabled the retention policy via 365 compliance to prevent replication

Now I'm trying to actually remove the malware from the machine.

The documentation states Go to the top bar and select Stop and Quarantine File.

My instance however is missing the stop and quarantine file button. Under incidents > evidence and response > files I'm also missing Stop and Quarantine File.

I'm not majorly worried for now as the defender alert shows despite it being active, it's being successfully blocked every time it attempts to run. However, I can't seem to remove it.

Any ideas where I'm going wrong?

mak47
  • 113
  • 4

1 Answers1

0

I am not sure whether you are really talking about "Defender for Cloud Apps" or "M365 Defender" in general. Anyway: If you click on the related alert you see the "Alert story". Probably with the specific file e.g. SofttonicDownloader.exe. You can then click on the three dots in the upper right corner, where you have various options such as: "Open file page","Add indicator", (...) and "Stop and Quarantine File".

Alert story

aexlz
  • 11
  • 2
  • That's the screen I've got at my end and I don't have the three dots or stop and quarantine file, I've raised a service request with our MS account manager, will report back whatever seems to have gone wrong – mak47 Aug 11 '22 at 19:31