Best Practices for using Quarantine Server in a Symantec Endpoint Protection environment
|Article:TECH95663|||||Created: 2009-01-20|||||Updated: 2014-07-23|||||Article URL http://www.symantec.com/docs/TECH95663|
What is the expected functionality of a Central Quarantine Server in a Symantec Endpoint Protection (SEP) environment?
While Quarantine Server can function in a SEP environment, it is unable to install the downloaded Rapid Release packages directly to SEP clients.
Quarantine Server has full functionality in a Symantec AntiVirus (SAV) environment. In a SEP environment, while being able to communicate with SEP clients to receive suspected threat samples, Quarantine Server does NOT have the ability to install definitions on SEP clients like the Symantec Endpoint Protection Manager (SEPM) can.
The use of Quarantine Server in a SEP environment is limited to the following:
1. Receiving suspected threat samples from SEP clients
2. Submitting these samples to Security Response automatically
3. Downloading Rapid Release definitions, specific to the suspected threats that have been submitted, ONLY to Quarantine Server
Quarantine Server can be used for the continual automated submission of suspected threat samples in a very large environment. There is no notification email generated by Security Response back to the Quarantine Server when submissions are made in this manner. In an escalating threat situation it is recommended that any suspected threats be manually submitted to Security Response, which allows the submitter to maintain direct control of the process.
If an administrator would like to apply a Rapid Release definition that has been automatically downloaded to the Quarantine Server, for a specific threat to a client, they have to check the details of the sample submitted to obtain the Rapid Release number (Quarantine Server user interface) and then find the corresponding Rapid Release definition set in the Quarantine\Signatures directory of definitions.
It is not recommended that Quarantine Server be used in smaller SEP environments of less than 10,000 clients.
Note: When the maximum number of samples have been received by Quarantine Server, no new samples will be accepted until a Rapid Release definition set has been downloaded to remediate any given suspected sample. Because Quarantine Server cannot actually install Rapid Release definitions on SEP clients, the administrator will have to manually purge the list of samples to receive the latest suspected threats in their environment, This may have to be performed on a daily basis in large environments.
Article URL http://www.symantec.com/docs/TECH95663