Quarantine in Windows Defender: view, configure and recover files

Windows Defender is an antivirus that we can find by default in both Windows 10 and Windows 11. Over time and its good work, it has managed to become an excellent alternative to commercial antiviruses. This antivirus has many functions and features, such as, for example, the possibility of launching on-demand scans or, as we are going to explain, establishing a quarantine where files are saved before deleting them from the computer.

When Windows Defender detects a virus on our computer, it automatically moves it to quarantine so that our system is protected. Once there, it’s up to us to look to see what kind of malware it was or where it was hidden. Also, in case it is a false positive, from this quarantine it allows us to restore it in order to continue using it.

What is the Quarantine function in an antivirus

When we talk about Windows Defender or any other antivirus putting an object in quarantine, it is something similar to when a person is quarantined when they catch a virus and to prevent them from spreading it if it could be dangerous.

In this way, when we run an analysis with the antivirus, in case it finds a file suspected of containing malicious elements, it offers us the possibility of putting it in quarantine . In this way, it places it in a separate and identified list, so that it does not put the stability of the system at risk.

And it is that antiviruses have not been programmed so that they are able to assume if each file that is found that looks like a virus and acts like a virus, is really a virus. That is why it is not capable of automatically deleting all potentially malicious files indiscriminately, but it can prevent it from running on our system until we decide otherwise.

Thanks to this quarantine, our computer will be safe. In addition, we will have a backup copy of the “virus” in question, deactivated, so that, if it is a false positive, we can recover the file, which, if it had been completely eliminated, would not be possible.

View, delete and recover quarantined files

In order to see the threats neutralized by the antivirus, the first thing we must do is open the main Windows Defender window. To do this we write Windows Security in the search box of the Start menu and select it.

Once in its interface, we move to the ” Antivirus and threat protection” section. In the new window that appears, we can see a summary with the status of our antivirus, the protection history, the files analyzed, etc. If the antivirus has detected a potentially unwanted application or file, it will appear here. If we click on the Actions section we can choose between ” Quarantine” , “Remove” or “Allow on device”.

Now, by clicking on the “Protection history” option, we can see in detail the results of the latest security tests carried out on our computer. Here, we can see a section called “Filters”, that when clicking on it a menu will be displayed where we can select that only the “Items in quarantine” appear, which, as its name indicates, is where these threats will be saved instead of being deleted.

If we click on one of these threats we will be able to see more information about it. If we click on the “Remove” button, we will automatically remove the threat from our computer completely. In the event that it is a false positive, what we must do is choose the “Restore” option that allows us to move the file back to its original path in order to continue using it.

In case we need more details about the threat in question, we can see details where we will see the severity, the original route of the threat, information about it and a link called “More information” that will take us to a Microsoft file about that threat. .

If we’re not sure if it’s a virus or a false positive, we can get a second opinion by uploading it to VirusTotal so we know how many viruses consider it dangerous and if it’s a harmless app or really a threat.

Set up quarantine in Windows Defender

From the Microsoft operating system it is possible to configure the antivirus so that it can automatically delete the items that are in quarantine after a certain number of days.

Using the directive editor

If we are using Windows 10 in its Pro or Enterprise version, or Windows 11, you can use the Local Group Policy Editor to be able to configure the elimination of threats in the Quarantine folder after a certain period.

The first thing is to use the key combination “Windows + R” to open the Run command. Here we type gpedit.msc and click OK or press Enter. Once here we navigate to the route:

Configuración de equipo / Plantillas administrativas / Componentes de Windows / Antivirus de Microsoft Defender / Cuarentena

Here, in the right pane we double click on Configure Quarantine folder item deletion . In the new window we click on “Enabled”, and in the “Options” section we select the number of days that we want to keep the infected items in quarantine, after which Windows Defender will delete them. Finally, click on Apply and OK to save the changes.

At any time we can reverse the situation by going back to the previous steps and selecting “Not configured”.

through registration

It is also possible to change Windows Defender Quarantine settings from the by editing the Windows Registry.

To do this we are going to open the Run command by pressing the Windows + R key combination. Here we will write regedit and click OK or press Enter. Once in the Registry we navigate to the following location:

HKEY_LOCAL_MACHINE / SOFTWARE / Policies / Microsoft / Windows Defender

Once here, we right-click on the Windows Defender folder and select “New” and “Key”. We name it Quarantine and press Enter.

Now we right-click on the Quarantine folder, select New and click DWORD (32-bit) Value. Name PurgeItemsAfterDelay and press Enter. We double-click on it and in the Value data field we specify the number of days that the antivirus should keep the items in quarantine before deleting them. Click OK to save the changes.