Restoring a false positive file detection from the Symantec Endpoint Protection quarantine
|Article:TECH150607|||||Created: 2011-01-28|||||Updated: 2011-01-28|||||Article URL http://www.symantec.com/docs/TECH150607|
Symantec Endpoint Protection (SEP) identifies a file as malicious and quarantines the file. However, the Administrator determines that this is a false positive detection and submits the file to Symantec Security Response for review. After review, Symantec issues new definitions that no longer make that detection. Upon receipt of the new definitions, SEP accomplishes a scan of the quarantine.
Even though the Quarantine options are set to repair, the file remains in quarantine and is not restored to its original location.
Symantec Endpoint Protection has the functionality to repair and restore files from quarantine only if they are infected, and that the repair of the file is actually possible.
In the case of a false positive, there is nothing to repair, so the file remains in quarantine.
Files can be restored from Quarantine manually via the product GUI or using the tool Qextract for Symantec Endpoint Protection 11.0
File Restoration from the client GUI:
1. Open the Symantec Endpoint Protection interface.
2. From the left-hand side menu Select View quarantine
3. Highlight the item in Quarantine, and choose Restore.
4. Confirm Restore when prompted to do so 'Are you sure you want to restore the selected files'?, choose Yes.
File Restoration using QExtract:
Symantec has a unsupported tool called QExtract, located under Tools\NoSupport folder of the installation CD.
Please carefully review the QuarantineExtract.html file that comes with the tool on how to use it.
This utility can be used to restore files from multiple systems.
Article URL http://www.symantec.com/docs/TECH150607