As announced by Microsoft last week, the Download quarantined files is generally available.
This will simplify for SecOps to download quarantined files for further analysis.
So, why do SecOps want to download files?
One reason could be that they want to do forensic analysis on the file to see if taken response actions was enough or extract indicator which they can hunt for.
The feature is enabled in advanced features and is enabled by default
Cloud protection integration
The file download is dependent on the sample submission settings. Make sure it’s turned on!
- Microsoft Defender Antivirus in active mode
- Antivirus engine version is 1.1.17300.4 or later. See Monthly platform and engine versions
- Cloud–based protection is enabled. See Turn on cloud-delivered protection
- Sample submission is turned on
- Devices have Windows 10 version 1703 or later, or Windows server 2016 or 2019
The file download is available from multiple pages in defender
It’s also visible on the file page, and the reason why we want to have the option to download in multiple pages is to avoid having to switch view and to be able to take the actions where we are in the portal
The possibility to set password for the file download makes it more safe and also avoid file to be detected during download