Restoring a false positive from the Symantec Antivirus quarantine
| Article:TECH105602 | | | Created: 2008-01-12 | | | Updated: 2011-01-31 | | | Article URL http://www.symantec.com/docs/TECH105602 |
Problem
Symantec AntiVirus falsely identifies a file as malicious, and is set to quarantine such files. After Symantec issues new, corrected definitions that no longer make that detection, the product runs a scan of the quarantine. Even though the Quarantine options are set to repair, the file remains in quarantine and is not restored to its original location.
Cause
Symantec AntiVirus has the functionality to repair and restore files from quarantine only if they are infected, and that the repair of the file is actually possible. In the case of a false positive, there is nothing to repair, so the file remains in quarantine.
Solution
Files can be restored from Quarantine manually via the product GUI or the Symantec System Center.
File Restoration from the client GUI:
- Open the Symantec Antivirus interface.
- Expand View and choose Quarantine.
- Highlight the item in Quarantine, right click and choose Restore.
File Restoration from the Symantec System Center:
- Open the Symantec System Center and locate the parent server or client group that contains the SAV/SCS client where the false positive occurred.
- Right click the Parent Server or Client Group and choose All Tasks, Symantec Antivirus, Logs, Risk History
- Locate the file to be restored, highlight the file and choose Undo Action Taken
File Restoration using QExtract:
Symantec has also got a unspported tool called QExtract located under Tools\NoSupport folder of the installation CD if you need to restore the quarantined file for multiple machines. Please follow the QurantineExtract.html file comes with the tool on how to use it.
|
|
Legacy ID
2008081209043748
Article URL http://www.symantec.com/docs/TECH105602
Terms of use for this information are found in Legal Notices
Thank you.