What is the retention period for quarantined files on the host?

The retention period for quarantined files on a host is 30 days. This means that any files that have been identified as malicious or suspicious will remain in quarantine for a month. After this period, if the files have not been addressed—either restored or permanently deleted—they will typically be removed from quarantine automatically.

This retention policy plays a crucial role in ensuring that users have adequate time to analyze and make decisions regarding potentially harmful files while also maintaining system hygiene by preventing indefinite storage of such files. Keeping quarantined files for 30 days balances the need for review and analysis with the necessity of freeing up space on the host and minimizing risk exposure.

This timeframe is significant as it can vary among different systems or organizations, but within the context of CrowdStrike's policies, 30 days is the established standard. Understanding this aspect is vital for incident response processes, allowing responders to effectively manage quarantined items and respond to security threats.