Restoring a false positive file detection from the Symantec Endpoint Protection quarantine

Article:TECH150607  |  Created: 2011-01-28  |  Updated: 2014-08-29  |  Article URL http://www.symantec.com/docs/TECH150607
Article Type
Technical Solution


Issue



Symantec Endpoint Protection (SEP) identifies a file as malicious and quarantines the file, however, the administrator determines that this is a False Positive detection and submits the file to Symantec Security Response for review.  After review, Symantec issues new definitions that no longer make that detection. Upon receipt of the new definitions, SEP accomplishes a scan of the quarantine.

Even though the Quarantine options are set to repair, the file remains in quarantine and is not restored to its original location.


Cause



Symantec Endpoint Protection has the functionality to repair and restore files from quarantine only if they are infected, and that the repair of the file is actually possible.

In the case of a False Positive (FP), there is nothing to repair, so the file remains in quarantine.


Solution



Files can be restored from Quarantine manually via the product GUI or using the tool Qextract for Symantec Endpoint Protection 11.0

 

File Restoration from the SEP client GUI (SEP 11 and 12.1):

  1. Open the Symantec Endpoint Protection interface.
  2. From the left-hand side menu Select View quarantine
  3. Highlight the item in Quarantine, and choose Restore.
  4. Confirm Restore when prompted to do so 'Are you sure you want to restore the selected files'?, choose Yes.

 

File Restoration using QExtract (SEP 11 only):
Symantec has an unsupported tool called QExtract, located under Tools\NoSupport folder of the installation CD.

Please carefully review the QuarantineExtract.html file that comes with the tool on how to use it.

This utility can be used to restore files from multiple systems.

 

File Restoration using SEPQuarantineTool.exe (SEP 12.1 only):

Symantec has an unsupported tool called SEPQuarantineTool. This tool is attached to this knowledgebase article. Download the attached ZIP file and extract it before use.

Note: The password to the ZIP file is: symantec

To view instructions for using the utility, open the Command Prompt, navigate to the directory of SEPQuarantineTool.exe using the command cd (e.g., cd Desktop), and run the tool with the /? switch. Example: SEPQuarantineTool.exe /?


Attachments

SEPQuarantineTool.zip is meant for SEP 12.1 use only.
SEPQuarantineTool.zip (986 kBytes)



Article URL http://www.symantec.com/docs/TECH150607


Terms of use for this information are found in Legal Notices