How do I remove malware with Defender for Cloud Apps?
I'm new to the role and my operational analyst left a few days before I started, I'm his manager, now it's just me. I'm familiar with the tooling but have never had to operate it myself.
I've had an alert from Defender for Cloud Apps confirming malware has been detected, the EDR has worked and the malware has been blocked. It's not been quarantined or removed from the host (unsure why) and it keeps attempting to decrypt credentials.
So far I've:
- Seen the defender alert, and confirmed positive detection
- Isolated the user's host
- Disabled unsigned applications from running
- Disabled the retention policy via 365 compliance to prevent replication
Now I'm trying to actually remove the malware from the machine.
The documentation states Go to the top bar and select Stop and Quarantine File.
My instance however is missing the stop and quarantine file button. Under incidents > evidence and response > files I'm also missing Stop and Quarantine File.
I'm not majorly worried for now as the defender alert shows despite it being active, it's being successfully blocked every time it attempts to run. However, I can't seem to remove it.
Any ideas where I'm going wrong?
