Endpoint Protection

 View Only

  • 1.  Quarantine Server - Useful or Useless?

    Posted Mar 04, 2015 03:42 PM

    I'm in the process of moving our SEPMs to server 2012 and ran into the issue where I cannot install the Quarantine Server on the 64-bit OS. In doing more research, it says this is really only for large scale operations, which we are not but the application was installed by my predesessor and I have limited experience with it.

    I had a few thoughts and questions though:

    Currently CQ grabs that quarantined items from our clients machines and stores them on a SEPM server...without that, our clients would just hold the infected files in their quarantine folder?

              Is there a way to remove them from the client and store them safely without CQ for remediation later?

    As I understood the CQ took those quarantined files and uploaded them to their server for the greater good. Not that I want to be a hot-bed of activity but, the clients don't have the ability to do this, do they?

    The documentation says that all the features have been rolled into the newer version of SEP 11.x+, we're currently on 12+ so besides removing the files from the client as stated above, what are the other benefits?

    Usefule or useless for our particular environment.

    Thank you

     

     

     



  • 2.  RE: Quarantine Server - Useful or Useless?

    Posted Mar 04, 2015 03:48 PM

    As you mentioned it's not supported on 64bit. Last I heard it was going away/being phased out. It's useful for controlled submissions to Symantec. Not recommended for less than 10k clients.

    http://www.symantec.com/docs/TECH95663

    The clients can submit to Symantec if you allow them to.I believe the CQ could submit right to Security Response. Seems that can already be done with 12.1 so not sure what else the benefit would be.

    Enabling or disabling client submissions to Symantec Security Response



  • 3.  RE: Quarantine Server - Useful or Useless?

    Posted Mar 05, 2015 02:33 AM

    Hi BJHughey,

    Central Quarantine Server (CQS) was a great tool back in the days of SAV 8, about 15 years ago.  Now the capability to quarantine files, rescan the quarantine for later possible repair, and report the hash of suspicious files, etc is built right into SEP 12.1.  It actually performs these tasks much more efficiently than CQS, too.

    The great majority of threat files today are purely malicious, rather than old-school viruses that added their own malicious code to a good program.  These purely malicious files will never be "repaired." Many admins select the "delete" action rather than quarantine them.  It saves space on the machine, but means that you cannot restore from quarantine in the event of a False Positive.

    Unless you still have legacy SAV clients, Scan Engine (which cannot quarantine) or similar in your environment, I don't recommend using CQS.

    Hope this helps!

    Mick

     



  • 4.  RE: Quarantine Server - Useful or Useless?

    Posted Mar 05, 2015 07:32 AM

    Mick, I agree with your comments that Central Quarantine Server is dead but I still think we need a central place where an incident responder can work with the detected files, submitting them to Symantec Security Response, Virustotal.com etc. When SEP finds something I allways want a second opinion!

    Today it requires lots of manual work (and access to the client) so it is usually not done.