When I check Quarantine files, found there is Backup Type in the event log. In SEPM risk detection setting, our first action is Clean and second is log only. We did not use Quarantine option. May I know if it means the infected files were deleted from original file path, but backup in quarantine folder,  even the result is "clean by deletion" or "deleted" ?

when and under what circumstances the infected files will be backup in the quarantine files?

 

Managing the Quarantine

Article:HOWTO55236

|

Created: 2011-06-29

|

Updated: 2011-12-17

|

Article URL http://www.symantec.com/docs/HOWTO55236

 

How to Manage Quarantined files.

Article:TECH106443

|

Created: 2008-01-03

|

Updated: 2012-02-14

|

Article URL http://www.symantec.com/docs/TECH106443

 

Symantec Endpoint Protection placed an item into Qarantine before a repair attempt.

Hello,

Quarantine is a special storage area that holds objects potentially infected with viruses.

Potentially infected objects are objects that are suspected of being infected by viruses or modifications of them.

Objects stored in Quarantine do not represent a threat to your computer. 

By default, Symantec Endpoint Protection tries to clean a file that a virus infected. If Symantec Endpoint Protection cannot clean a file, it performs the following actions:

If you set the action to log only, by default if users create or save infected files, Symantec Endpoint Protection deletes them.

On Windows computers, you can also configure remediation actions for administrator scans, on-demand scans, and Auto-Protect scans of the file system.

You can lock actions so that users cannot change the action on the client computers that use this policy.

NOTE: For security risks, use the Delete action with caution. In some cases, deleting security risks causes applications to lose functionality. If you configure the client to delete the files that security risks affect, it cannot restore the files.

To back up the files that security risks affect, use the Quarantine action instead.

Check these Articles:

Managing the Quarantine:

http://www.symantec.com/docs/HOWTO55236

Restoring a false positive file detection from the Symantec Endpoint Protection quarantine:

http://www.symantec.com/docs/TECH150607

Secondly, 

Cleaned by Deletion - Specifies the events where the action configured was Clean, but a file was deleted because that was the only way it can be cleaned. For example, this action is generally needed for Trojan horse programs.

Check this Article:

Explanation of Action field values in Symantec Endpoint Protection 12.1 and 11, and Symantec AntiVirus 10.1

http://www.symantec.com/docs/TECH102052

"Cleaning" only works when an otherwise good file is infected with malicious code; the malicious code is removed and the original file is restored (in most circumstances). If a threat is nothing butmalicious code, there is nothing to clean, so instead, it is deleted.

Hope that helps!!

Another use of Quarantine is for False Positive (FP) detections, which can sometimes occur with internal / custom applications, etc. If the First Action is Clean - and the file is cleaned (or clean by delete), the original file is stored in Quarantine as type Backup. If the detection is a FP, the original file can be restored - and optionally an Exclusion can be created to prevent future detections.