![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 33%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERK%3C/text%3E%3C/svg%3E)
Hello Russell,
The file suspected on the client device could be a subject of ban to prevent further propagation of an attack. This could have been preconfigured, hence the file is already blocked. This operation prevents it from being read, written, or executed on devices in your organization. Copy and move operation is essentially write action.
https://learn.microsoft.com/en-us/defender-endpoint/advanced-features