What Is Quarantine? Security Definition
On This Page
Quick Definition
Quarantine means putting a suspicious file, email, or device in a locked-down area where it cannot cause damage. Think of it like a digital isolation room. Security tools use quarantine to stop threats from spreading until they can be safely removed or cleaned. It buys time for security teams to decide what to do.
Commonly Confused With
Blocking prevents an item from entering the system entirely. Quarantine allows the item in but isolates it. For example, an email filter can block a message at the gateway (never stored) or quarantine it (stored but inaccessible). Blocking is immediate denial; quarantine is temporary isolation.
If an email server blocks a message, the sender gets a bounce-back. If it quarantines a message, the email is stored in a safe location for admin review.
A sandbox is a controlled environment where suspicious files are executed and analyzed. Quarantine just stores the file in a restricted area without execution. You might quarantine a file first, then send a copy to a sandbox for analysis. Sandboxing is active analysis; quarantine is passive isolation.
You quarantine a downloaded .exe file on your desktop. Then you copy it to a virtual machine (sandbox) to see what it does. The original remains in quarantine.
Remediation is the process of removing or fixing a threat after it has been identified. Quarantine is a containment step that happens before remediation. You quarantine first to stop damage, then remediate by cleaning or deleting the threat.
When a computer is infected with ransomware, you quarantine it by disconnecting from the network (containment). Then you remediate by restoring files from backup and removing the ransomware.
Network isolation often refers to placing a device on a separate VLAN or cutting its network access entirely. Quarantine can be part of isolation, but quarantine also applies to files and emails. Isolation is a broader concept that includes quarantine as one method.
A compromised server is isolated by blocking all traffic at the firewall. That is network isolation. A suspicious email attachment is moved to a quarantine folder, that is file quarantine.
Must Know for Exams
Quarantine appears directly or indirectly across all three of your target exams: CompTIA A+, CompTIA CySA+, and Microsoft 365 Certified: Messaging Administrator Associate (MS-102).
For the CompTIA A+ exam (220-1102), quarantine is part of the "Security" domain, specifically objectives related to malware removal and prevention. You need to know the steps of malware removal, which include identifying the malware, quarantining the infected system, disabling System Restore, and then cleaning or removing the malware. The exam may ask you to choose the correct first step when dealing with a suspected malware infection. The correct answer is often "quarantine the system" or "disconnect the system from the network." Expect scenario-based questions where you have to explain why quarantine is important before attempting removal.
For the CompTIA CySA+ exam (CS0-002 or CS0-003), quarantine is more technically embedded. CySA+ focuses on behavioral analytics and threat hunting. You will encounter questions about isolating compromised hosts, using containment strategies during incident response, and understanding how email quarantine works in the context of phishing analysis. The exam may present a scenario where a security analyst detects unusual outbound traffic from a host; you must decide whether to quarantine the host at the network level (by blocking its switch port) or at the endpoint level. CySA+ also covers the concept of "automated quarantine" in SOAR (Security Orchestration, Automation, and Response) platforms. You should be familiar with how quarantine integrates with playbooks and how false positives can trigger unnecessary quarantine actions.
For the Microsoft MS-102 exam (Microsoft 365 Administrator), quarantine is a major topic in the domain "Manage Microsoft 365 security and compliance." You must understand how Exchange Online Protection (EOP) and Microsoft Defender for Office 365 handle quarantine. The exam covers quarantine policies for malware, high-confidence phishing, spam, and bulk mail. You will need to know how to configure quarantine policies, set retention periods, manage user permissions for self-release, and use the Microsoft 365 Defender portal to review and release quarantined messages. Expect questions about the difference between "admin-only quarantine" and "user-accessible quarantine." You may also be asked about quarantine for SharePoint, OneDrive, and Teams files through Microsoft Defender for Cloud Apps. MS-102 expects you to know how to report false positives and false negatives in quarantine.
In all three exams, quarantine is often tested through scenario-based questions that ask you to select the best response to a security incident. The common thread is that quarantine is the containment step before investigation or remediation. Do not confuse it with deletion, blocking, or remediation. Quarantine is about isolation first.
Simple Meaning
Imagine you work in a busy office mailroom. You notice a package that looks strange, it has no return address, the tape is peeling, and it feels like there might be something rattling inside. You would not hand that package directly to the CEO. Instead, you would put it in a locked, secure box away from everyone else until you can inspect it more carefully. That is exactly what quarantine does in the digital world.
When an antivirus program, email filter, or network security tool detects something suspicious, it does not delete it right away. Deleting could destroy evidence or cause problems if the file is actually safe. Instead, the system moves the item into a special restricted area called quarantine. From there, the file cannot execute, cannot be opened by users, and cannot communicate with other parts of the system. It is essentially frozen in place.
Security professionals can then examine the quarantined item. They can look at its code, check it against threat intelligence databases, or run it in a sandbox, a safe, isolated environment, to see what it does. If it turns out to be harmless, they can release it back into the wild. If it is malicious, they can delete it, send it to a malware analysis lab, or use it to update detection signatures. Quarantine gives control to the defender instead of the attacker.
This technique is used everywhere in IT. Email servers quarantine messages that look like phishing. Endpoint protection quarantines downloaded files that match known malware patterns. Network intrusion prevention systems quarantine traffic from compromised IP addresses. Even cloud collaboration platforms like Microsoft 365 quarantine files detected by their built-in security policies. The core idea is always the same: isolate first, ask questions later.
Full Technical Definition
Quarantine, in an IT security context, is a containment strategy that isolates a suspicious object from normal system operations to prevent potential harm while preserving it for analysis or remediation. The object can be a file, an email message, a network packet, a process, a device, or even a user account. The implementation varies by technology but follows a common set of principles: isolation, preservation, and deferred action.
When an antivirus or endpoint detection and response (EDR) tool quarantines a file, it typically moves the file to a protected directory with restricted file system permissions. The file is often encrypted or renamed to prevent accidental execution. The original file system entry is replaced with a placeholder or removed entirely from the user’s view. On Windows, for example, Microsoft Defender moves quarantined files to a hidden folder under C:\ProgramData\Microsoft\Windows Defender\Quarantine, where they are encrypted and stripped of their original extension. The registry or a local database tracks metadata about the quarantined file, including the original path, date, detection name, and threat severity.
In email security, quarantine works at the transport level. An email gateway or cloud email filter (like Microsoft Exchange Online Protection or Mimecast) receives an inbound message and analyzes its headers, attachments, links, and content. If the message matches a quarantine policy, for example, a high spam confidence level, a known malicious URL, or an attachment with a dangerous file type, the message is not delivered to the recipient’s inbox. Instead, it is stored in a quarantine database or folder. Administrators or end users can later review the message through a quarantine portal, release it, delete it, or report it as a false positive. Microsoft 365’s quarantine holds messages for up to 30 days by default and supports policies that allow users to self-release certain types of quarantined items.
Network quarantine is a different use case, often associated with Network Access Control (NAC) or 802.1X authentication. When a device connects to a corporate network and fails a health policy check, for example, it has missing security patches, an outdated antivirus definition, or unauthorized software, the network switch or wireless controller places the device into a restricted VLAN. This quarantine VLAN has limited access, typically only to remediation servers such as patch management, antivirus update servers, and a captive portal. Once the device meets compliance, it is moved to the normal production VLAN. Microsoft’s Network Policy Server (NPS) and Cisco ISE are common platforms that enforce this type of quarantine.
In incident response and forensics, quarantine can also refer to isolating an entire system from the network. When a host is suspected of being compromised, an incident responder may disconnect its network cable, disable its switch port, or block its IP at the firewall. This is a tactical quarantine to contain the breach while preserving volatile evidence like memory and running processes.
Quarantine is not a one-size-fits-all process. The duration, notification policies, user access, and automated actions are configurable. False positives are a perennial challenge; overly aggressive quarantine can block legitimate business traffic or prevent employees from receiving important emails. Therefore, effective quarantine implementations include robust reporting, alerting, and easy release mechanisms.
From a standards perspective, quarantine aligns with the NIST Cybersecurity Framework’s "Respond" function, specifically the "Mitigation" category. It is also a core component of the SANS Critical Security Controls, particularly Control 10: Data Recovery Capabilities and Control 13: Network Monitoring and Defense. In many compliance frameworks like HIPAA and PCI DSS, quarantine is an accepted method for protecting sensitive data from malware and unauthorized access.
Real-Life Example
Think about a hospital emergency room. A patient comes in with a fever, cough, and a history of recent international travel. The doctors do not immediately know if it is a common cold, the flu, or something more dangerous like COVID-19. Instead of sending the patient to the general waiting room where they could infect dozens of other people, the hospital puts the patient in an isolation room. That room has its own ventilation system, protective equipment for staff, and strict protocols for entering and exiting. The patient stays there until test results come back.
Now map that to IT quarantine. The patient is a suspicious email attachment or a downloaded file. The waiting room is your corporate network full of users, servers, and sensitive data. The isolation room is the quarantine folder or quarantine environment. The doctors are the security software and the IT team. The tests are malware scans, behavioral analysis, and threat intelligence lookups. If the test comes back negative, meaning the file is safe, the file is released (the patient goes home). If the test is positive, the file is deleted or sent for deeper analysis (the patient is treated or transferred to a specialized unit).
In daily life, we use quarantine instinctively. When you buy a new fish for your aquarium, you do not drop it directly into the main tank. You put it in a separate quarantine tank for a few weeks to make sure it does not bring disease to your existing fish. When you receive a mysterious USB drive in the mail, you do not plug it into your work laptop, you might plug it into an air-gapped old computer to inspect it. The concept is universal: separate the unknown from the trusted, examine thoroughly, then decide.
Why This Term Matters
Quarantine matters because it provides a critical safety net in IT environments. No security tool is perfect. Antivirus engines can miss zero-day threats. Email filters can incorrectly classify legitimate messages as spam. An employee might accidentally download a file that appears safe but contains hidden malware. Without quarantine, any of these events could immediately compromise a system or network. With quarantine, you have a second chance to catch mistakes and stop threats before they cause harm.
In practical IT operations, quarantine reduces the mean time to contain (MTTC) an incident. Instead of needing a human to manually identify and isolate every suspicious item, automated quarantine systems do it in milliseconds. This is especially important for organizations that receive thousands of emails and file downloads every day. Manual review of every item is impossible; quarantine automates the triage.
Quarantine also preserves evidence. If a security tool simply deleted a malicious file, you would lose the opportunity to analyze it. You would not know what kind of malware it was, what it was trying to do, or whether it had already communicated with a command-and-control server. Quarantine keeps the file intact so that incident responders and threat researchers can extract indicators of compromise (IoCs), update detection rules, and improve defenses.
Another reason quarantine matters is compliance. Regulations like GDPR, HIPAA, and PCI DSS require organizations to protect personal and financial data. Quarantine is a recognized control for preventing data loss caused by malware or phishing. Auditors will expect to see that your email system has quarantine policies, that quarantined items are reviewed, and that false positives are handled promptly.
Finally, quarantine empowers end users in some implementations. In Microsoft 365, for example, users can be given permission to view and release their own quarantined emails (if they are spam or bulk mail). This reduces the workload on help desks and gives users a sense of control, while still preventing obviously dangerous messages from reaching the inbox. A well-designed quarantine policy balances security with usability.
How It Appears in Exam Questions
In CompTIA A+ exams, quarantine questions are often part of a multi-step troubleshooting scenario. For example: "A user reports that their computer is running slowly and pop-up ads are appearing. What should the technician do first?" The distractor answers might include "Run a full antivirus scan," "Delete suspicious files," or "Update the antivirus definitions." The correct answer would be "Disconnect the computer from the network to quarantine it." The exam emphasizes that quarantine prevents the malware from spreading to other systems or exfiltrating data.
In CySA+, questions are more analytical. You might see a scenario like: "A security analyst receives an alert that a workstation is beaconing to a known malicious IP address every five minutes. The analyst has confirmed the host is infected. Which of the following is the most immediate containment action?" Options could include "Patch the host," "Run an antivirus scan," "Isolate the host by disabling its switch port," or "Delete the malicious files." The correct answer is to isolate the host. The exam also tests your understanding of network quarantine using NAC. A question might describe a user connecting a personal laptop to the corporate network and being placed in a restricted VLAN. You need to explain why that happens and how the user can remediate.
In MS-102, questions are configuration-oriented and policy-focused. For example: "An organization uses Microsoft 365 and wants to ensure that users can review and release their own spam messages but not malware messages. How should the administrator configure the quarantine policy?" The answer involves creating a quarantine policy in the Microsoft 365 Defender portal, setting the appropriate permissions (user access for spam, admin-only for malware), and applying it to the relevant mail flow rule or anti-spam policy. Another question type: "A user reports that a legitimate email from a client was quarantined. The administrator needs to allow similar messages in the future. What should the administrator do?" The correct steps are to release the message from quarantine, submit it as a false positive to Microsoft, and optionally create an allow entry or a mail flow rule.
Some questions test your knowledge of quarantine limits and retention. For instance: "How long are quarantined messages retained in Exchange Online Protection by default?" (30 days). Or "Which quarantined message types require admin-only release?" (Malware and high-confidence phishing). These are straightforward memory questions but they appear frequently.
Be prepared for questions that compare quarantine with other actions. A common trap is to confuse "block" with "quarantine." Blocking prevents delivery entirely (message never stored), while quarantine holds the message for review. Another trap is thinking that deleting a file is the same as quarantine; deletion destroys evidence, while quarantine preserves it. Exam writers know these distinctions and will test them.
Practise Quarantine Questions
Test your understanding with exam-style practice questions.
Example Scenario
A medium-sized company uses Microsoft 365 for email. One morning, the IT administrator receives an alert from the Microsoft 365 Defender portal saying that five emails have been quarantined for containing high-confidence phishing links. The administrator reviews the quarantined messages and sees that they appear to be internal emails from a manager’s account, but the links point to a suspicious external website that asks for login credentials.
Upon closer inspection, the administrator realizes the manager’s account was compromised the previous day. The attacker used the account to send phishing emails to other employees. The built-in Microsoft 365 anti-phishing policy detected the malicious links and automatically quarantined those emails before they reached the recipients’ inboxes. No employee clicked the links because the emails never arrived.
Now the administrator must take several actions. First, they reset the manager’s password, enable multi-factor authentication, and revoke any suspicious app permissions. Second, they delete the quarantined emails permanently to ensure no one can accidentally release them. Third, they submit the phishing URLs to Microsoft for threat intelligence analysis. Finally, they review the quarantine policy to make sure similar future threats will also be caught.
In this scenario, quarantine was the key control that prevented a potential credential theft attack. Without it, multiple employees might have clicked the phishing links and entered their passwords, leading to a widespread account compromise. The quarantine feature gave the IT team time to investigate and remediate the root cause without the incident escalating.
Common Mistakes
Thinking quarantine is the same as deletion.
Quarantine preserves the item for analysis; deletion destroys it. You lose the ability to investigate the threat if you delete immediately.
Remember: quarantine = isolate and preserve. Deletion = remove permanently. Use quarantine when you need to investigate first.
Releasing quarantined items without scanning them first.
If you release an item without verifying it is safe, you could reintroduce malware into the environment. Always analyze or at least scan before releasing.
Always view the quarantined item’s threat details and run a secondary scan or sandbox analysis before releasing. When in doubt, delete or escalate.
Assuming all quarantined items are malicious.
Quarantine catches suspicious items, but false positives are common. Legitimate emails or files can be flagged due to aggressive policies. Treating all quarantined items as threats can block business operations.
Regularly review quarantine reports. Train users to report false positives. Tune policies to reduce false positive rates over time.
Not configuring quarantine notifications or review processes.
If no one reviews quarantined items, legitimate items can be stuck indefinitely, causing delays. Also, malicious items may be forgotten and never properly deleted.
Set up automatic notifications for admin and users. Schedule regular quarantine reviews. Configure automatic deletion after the retention period ends.
Allowing all users to self-release quarantined items without restrictions.
Users may inadvertently release dangerous emails (like malware or phishing) if the policy is too permissive. This bypasses the security benefit of quarantine.
Use role-based quarantine policies. Allow users to release only low-risk items like spam or bulk mail. Require admin approval for malware and high-confidence phishing.
Exam Trap — Don't Get Fooled
{"trap":"Choosing \"Delete the infected file\" as the first step in malware removal instead of \"Quarantine the system.\"","why_learners_choose_it":"Learners think the fastest way to get rid of malware is to delete the files immediately. They forget that the malware may be active in memory or have spread to other files.
Deleting the file does not stop the running process or prevent reinfection.","how_to_avoid_it":"Always follow the standard malware removal process: identify, quarantine (disconnect from network), disable System Restore, then remove. Quarantine first to contain the threat.
Deleting is a later step. Remember the acronym: IDQRR (Identify, Disconnect, Quarantine, Remove, Recover)."
Step-by-Step Breakdown
Detection
The security tool (antivirus, email filter, NAC system) identifies a suspicious file, message, or device based on signatures, heuristics, machine learning, or policy violations. This triggers the quarantine process.
Notification
The tool either immediately moves the item to quarantine or alerts an administrator for approval. In automated systems, notification is sent to the admin panel and sometimes to the affected user, informing them that an item has been quarantined.
Isolation
The item is moved to a secured storage location. For files, this is a protected directory with restricted permissions. For emails, it is a quarantine database. For devices, it is a restricted VLAN. The item cannot be accessed normally or execute.
Preservation
The quarantined item is stored with metadata (original path, detection name, timestamp, threat level). The system preserves the item in its original form so that it can be analyzed later. Encryption or renaming may be applied to prevent accidental execution.
Review
An administrator or authorized user accesses the quarantine list through a management console or portal. They review details: threat name, file hash, sender, recipient, URL, etc. They decide the next action: release, delete, or submit for analysis.
Action
Based on review, the item is either released back to its original location (if safe), permanently deleted, or submitted to a threat analysis team. If released, the system should log the release and optionally notify the original user.
Policy Tuning
To reduce false positives and false negatives, administrators may adjust quarantine policies: changing sensitivity levels, adding allow/block lists, or updating threat intelligence feeds. This is a continuous improvement step.
Practical Mini-Lesson
Quarantine in Microsoft 365 is a particularly rich topic for administrators. Let’s walk through how to manage it in practice.
First, understand the types of quarantined items in Exchange Online Protection. There are five categories: malware, high-confidence phishing, phishing, spam, and bulk mail. Each has a default policy. Malware and high-confidence phishing are admin-only release by default. Spam and bulk mail can be user-accessible if the admin enables it. You can create custom quarantine policies to override these defaults.
To view quarantined messages, you go to the Microsoft 365 Defender portal, navigate to Email & collaboration > Review > Quarantine. Here you see a list with columns like subject, sender, recipient, quarantine reason, and expiration date. You can filter by type, date range, or policy name. Release a message by selecting it and clicking "Release message." You can also release multiple messages at once.
When releasing, you have the option to "Report messages to Microsoft for analysis." This is critical for false positives. If you release a message that is actually safe, reporting it helps Microsoft improve their filters. Conversely, if a malicious message was missed (false negative), you can submit it using the "Report a message" feature.
Now, configuration. To set up quarantine policies, go to the Microsoft 365 Defender portal under Policies > Email & collaboration > Anti-spam policies. You can edit the default policy or create a new one. Under the "Actions" section, you define what happens to messages based on their type. For example, for spam: you can choose "Quarantine message" or "Move to Junk Email folder." For malware, you can only choose "Quarantine message" (blocking is not an option for malware). Under "Quarantine policy," you select a policy that determines who can release the messages and what notifications they receive.
What can go wrong? The most common issue is over-quarantining. An aggressive anti-spam policy will quarantine legitimate emails from customers or partners. The fix is to add them to the "Allowed senders" list or "Allowed domains" list in the anti-spam policy. Another issue is under-quarantining: messages that are clearly spam or phishing land in inboxes. This means the policy threshold is too low. Increase the spam confidence level (SCL) threshold or enable advanced filtering.
Another real-world problem: users ignore quarantine notifications. In Microsoft 365, you can enable end-user spam notifications (daily digest) that list quarantined messages users can review. But if users do not check these digests, they may miss legitimate emails. The solution is to train users to check their quarantine regularly or to create a mail flow rule that sends a copy of certain quarantined messages to a shared mailbox for team review.
For devices, network quarantine via NAC is more complex. For example, using Microsoft Network Policy Server (NPS) and a health policy, you can quarantine computers that lack required updates. The device is placed in a restricted VLAN where it can only access update servers. The user sees a captive portal with instructions. Once the device meets compliance, NPS updates the RADIUS response and moves the device to the full-access VLAN. This requires integration with Active Directory, System Center Configuration Manager (SCCM), or Intune for health validation.
The key takeaway: quarantine is not a set-and-forget feature. It requires ongoing monitoring, tuning, and user education. A well-managed quarantine system dramatically reduces risk, but a poorly configured one causes user frustration and operational inefficiency.
Memory Tip
Think of the word "Q-P-D-R", Quarantine first, Preserve evidence, Decide later, Release carefully.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
220-1102CompTIA A+ Core 2 →CS0-003CompTIA CySA+ →MS-102MS-102 →220-1101CompTIA A+ Core 1 →SC-900SC-900 →CDLGoogle CDL →ITIL 4ITIL 4 →ISC2 CCISC2 CC →Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
Frequently Asked Questions
How long are items kept in quarantine before they are automatically deleted?
In Microsoft 365, the default retention period is 30 days for all quarantined message types. You can change this period for each policy. For endpoint antimalware, retention varies by product; Microsoft Defender typically keeps quarantined files for 90 days.
Can end users release their own quarantined items?
Yes, but only if the administrator configures a quarantine policy that allows user access. By default, only admin can release malware and high-confidence phishing. Users can be allowed to release spam and bulk mail.
What is the difference between a quarantine and a block?
A block prevents the item from ever entering the system (message is rejected, download is denied). A quarantine allows the item to be stored in a restricted area for later review. Blocking is permanent denial; quarantine is temporary isolation.
What should I do if a legitimate email was quarantined?
Release the message from the quarantine in your admin portal, then submit it as a false positive to the security vendor. Optionally, add the sender’s domain or email address to an allow list to prevent future false positives.
Does quarantine protect against ransomware?
Yes, if a ransomware file is detected before execution, it can be quarantined by endpoint protection. However, if the ransomware is already running, quarantine of the file alone may not stop it. You also need to quarantine (disconnect) the affected system from the network.
Can I quarantine a user account?
Yes, some IAM and security platforms allow you to quarantine a user account by disabling it, revoking sessions, and blocking logins until the account is investigated. This is often done after a suspected compromise.
Do I need to review quarantined items regularly?
Absolutely. Unreviewed quarantine can accumulate false positives that block legitimate operations, and actual threats may be forgotten and never deleted. Schedule weekly or daily reviews depending on volume.
Summary
Quarantine is a fundamental security control that isolates suspicious files, emails, or devices to prevent harm while preserving them for analysis. It sits between initial detection and final remediation, giving defenders time to investigate without risking further damage. The concept is simple, isolate first, ask questions later, but its implementation varies widely across email systems, endpoint protection, and network access control.
For IT professionals preparing for CompTIA A+, CySA+, or Microsoft MS-102 exams, understanding quarantine is essential. The A+ exam tests it as a step in malware removal. CySA+ examines it in incident response and automated containment. MS-102 dives deep into Microsoft 365 quarantine policies, including configuration, user permissions, and false positive handling. In all three, quarantine is often the correct answer when a scenario asks for the first action to contain a threat.
The key exam takeaway is this: quarantine is not the same as deletion, blocking, sandboxing, or remediation. It is a distinct step focused on containment and preservation. Remember to prioritize isolation, preserve evidence, and review before release. A well-tuned quarantine process balances security with usability, and knowing how to configure it correctly is a skill that will serve you in both exams and real-world IT work.