How long are quarantined files kept on the host before deletion?

Quarantined files in the CrowdStrike Falcon platform are retained on the host for a duration of 30 days before they are automatically deleted. This duration strikes a balance, allowing security teams enough time to review and take necessary action on suspicious files, while also managing storage and ensuring that old data does not linger unnecessarily.

Retention for 30 days is beneficial for incident response and forensic analysis. It provides adequate time to investigate potentially malicious files without risking an overload of obsolete data. After this period, the files are deleted to free up system resources and ensure compliance with data management practices, thereby optimizing the performance and efficiency of the endpoint security system.