Home Troubleshooting & FAQs An application has been blocked or quarantined

An application has been blocked or quarantined

Last updated on Jun 11, 2026

Applies to: Endpoint protection (Cortex XDR anti-malware)

What you're seeing

A programme on your computer won't open, has been closed mid-use, or shows a notification saying it has been blocked or quarantined. This may happen immediately after installing new software, or unexpectedly to software you've been using for a while.

You might see:

  • A Cortex XDR popup notification saying a file or process was blocked

  • The programme closes by itself, or simply does not run

  • A file disappears from your Downloads or Applications folder

  • A new incident appearing in your StrongKeep dashboard

If you weren't trying to run anything when the alert appeared, don't panic: a block means the protection did its job. The application was stopped before it could cause harm. The steps below help you work out what happened and what (if anything) to do next.

Step 1: Confirm it was StrongKeep that blocked it

On your own device (any staff member):

Click the Cortex XDR shield icon in your menu bar (Mac) or system tray near the clock (Windows) and choose Open Console. The console shows:

  • Protection status (it should say PROTECTED)

  • A table of recent security events: the Time it happened, the Process (which programme was involved), the Module (which protection layer reacted), and the Mode (what action was taken, for example Terminate)

If the programme you're having trouble with appears in that table, StrongKeep's protection blocked it. If the table is empty, the problem is probably something else (the programme may be crashing on its own, or blocked by a different tool).

In the StrongKeep dashboard (your StrongKeep administrator):

Go to Protection > Anti-malware to see all incidents across your organisation's devices. Each incident has a plain-English title (for example, "Suspicious malware detected and blocked on John's MacBook Pro, involving Terminal and login processes"), a severity rating (High, Medium, or Low), and the affected device.

Click into the incident to see an Initial Assessment: an AI-generated explanation in plain English of what was detected, what action was taken, and what to check next. The File Artefacts and Timeline tabs show exactly which files and processes were involved.

If you do not see the file in the Cortex XDR Console or on StrongKeep Dashboard:

The file is not being blocked by StrongKeep. It may be some other reason that is preventing the tool from being run.

Step 2: Quick self-check

  1. Was this software installed recently? Freshly downloaded programmes are more likely to be flagged, especially if the download came from an unfamiliar site rather than the official vendor page.

  2. Did someone else install it, or did it appear without your action? If you didn't install it and don't recognise it, the block may well be correct. Proceed with caution.

  3. What does the incident say? The Initial Assessment on the incident page explains what triggered the alert. A High severity incident involving system processes deserves more caution than a Low severity flag on a file you just downloaded from a vendor you trust.

  4. Is this a critical business tool? If it's software your work depends on (a practice management system, a device driver, a clinical imaging tool), you can request a review and an exception. See below.

What you can do right now

If the software is legitimate and you need it for work:

  1. Ask your StrongKeep administrator to open the incident in the dashboard (Protection > Anti-malware, then click the incident).

  2. Click Create Support Ticket on the incident page. This sends the incident details straight to the StrongKeep team with the full context attached.

  3. Alternatively, email support@strongkeep.com with: the name and version of the software, where you downloaded it from (the website URL), what you use it for, and the incident ID from the dashboard if you have it.

The StrongKeep team will review the file. If it's confirmed safe, they add an allow-rule scoped to your organisation so the software can run, and restore any quarantined file to its original location. Legitimate software does occasionally get flagged, particularly less common or recently released programmes; this is called a false positive and is normal for behaviour-based protection. [VERIFY: Clement: confirm typical turnaround for EDR exception requests]

If you don't recognise the blocked programme, or the incident is High severity:

Leave it alone and tell your StrongKeep administrator. If you suspect something is actively wrong (multiple alerts, files changing, unfamiliar activity), use the red Activate Help button under "Suspect an attack?" in the StrongKeep dashboard, or contact support immediately.

In all cases, do not try to disable or bypass the protection yourself. The agent is designed to resist removal and tampering, because disabling endpoint protection is one of the first things an attacker attempts. If you believe the block is an error, the right path is the support ticket, not a workaround.

What StrongKeep is doing and why

StrongKeep's endpoint protection (built on Palo Alto Networks Cortex XDR, the same technology used by large enterprises and governments) checks software in two main ways:

  • Before a file runs, it is checked against Palo Alto Networks' global threat intelligence and an on-device analysis engine. Known-bad and suspicious files are blocked or quarantined before they execute.

  • While programmes run, Behavioural Threat Protection watches for harmful patterns of behaviour (for example, a process trying to encrypt many files, or tamper with login mechanisms) and terminates the process if it crosses the line. This catches threats that have never been seen before and would slip past traditional antivirus.

The trade-off is that occasionally a legitimate programme behaves in a way that resembles those harmful patterns and gets stopped. These false positives can be resolved quickly with an allow-rule, and the file can be restored.

StrongKeep operates with a protective default: block first, verify second. This is intentional for the threat environment that clinics and SMEs face, where a single ransomware incident is far more disruptive than a short wait for an exception.

When to contact support

Contact support@strongkeep.com (or use Create Support Ticket on the incident page) if:

  • A business-critical application has been blocked and you need it restored urgently

  • You're seeing repeated blocks of the same programme across several devices, for example after a system update

  • You're unsure whether a quarantined file was something you knowingly installed

  • An incident is marked High severity and the Initial Assessment doesn't match anything you or your team did

If you suspect an active attack, use the Activate Help button in the dashboard sidebar.