Video Screencast Help

Qurantined Risks

Created: 13 Nov 2013 | 10 comments

Hi,

i see many files in the "view quarantine" section on the client computer SEP console.

what does it mean when a file is qurantined , is the computer free from virus from those file or the SEP has just put those files aside ?

Are all those files still infected with virus?

Can we delete them ?

Thanks.

Operating Systems:

Comments 10 CommentsJump to latest comment

.Brian's picture

It mean the files are infected and they've been moved to an area where they can't do any damage. SEP will try to clean them with new signatures if it can otherwise they will remain in quarantine. Yes you can delete if you want.

How to Manage Quarantined files.

Article:TECH106443  |  Created: 2008-01-03  |  Updated: 2012-02-14  |  Article URL http://www.symantec.com/docs/TECH106443

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

James007's picture

When the client software scans a suspicious file, it places the file in the local Quarantine folder on the infected computer,You can delete those file.

How to delete Quarantined items from the Symantec Endpoint Protection Manager.

 

Article:TECH106444 | Created: 2008-01-03 | Updated: 2009-01-14 | Article URL http://www.symantec.com/docs/TECH106444

How to Manage Quarantined files.

 

Article:TECH106443 | Created: 2008-01-03 | Updated: 2012-02-14 | Article URL http://www.symantec.com/docs/TECH106443

Quarantine: Clean-up Options

Symantec Endpoint Protection Manager - Antivirus and Antispyware - Policies explained

 

Article:TECH104430 | Created: 2008-01-20 | Updated: 2010-12-21 | Article URL http://www.symantec.com/docs/TECH104430

 

suren424's picture

In the "Virus and Risks Activity Summary"  on the SEPM , i see qurantined viruses as 613+ and all of them are from single computer ( all are from windows c:\windows\system32\Winxxx.tmp folder). Just wondering is the system drive badly infected ? should we take that system out of network and reinstall the OS ?

Thanks

.Brian's picture

You can delete from quarantine, however, with that type of infection it is always recommended to re-image if you can. It will ensure the system is than clean

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mick2009's picture

Flattening a system and rebuilding it is sometimes recommended.  I recommend taking a close look at that machine, first.  Run the SymSupport tool with Load Point Analysis on it. 

Using Symantec Help (SymHelp) Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team
https://www-secure.symantec.com/connect/articles/using-symantec-help-symhelp-tool-how-do-we-collect-suspicious-files-and-submit-same-symante
 

 

Maybe there is an undetected threat which is constantly attempting to perform some action and creating those .tmp files.  Does the Load Point report show any suspicious files that SEP is not catching?  Get those submitted to Security Response!  A threat may have already spread, undetected, from that computer.... re-imaging it now would not help any other computers it has already infected, but getting new definitions against that threat would help all endpoints.

Hope this helps!

Mick

With thanks and best regards,

Mick

suren424's picture

"Does the Load Point report show any suspicious files that SEP is not catching "

where to find the load point report. do i need to run the symhelp tool for generating the report ?

Thanks.

Mick2009's picture

Hi suren424,

Yes, run SymHelp with the option to examine the load points for suspicious files.  Details are in the article I mentioned.

With thanks and best regards,

Mick

Beppe's picture

Dear Suren,

the issue is not in the quarantine folder, infected files are moved there as per default policy, the main reason for that is to try to repair the file (if repairable) with new definitions or restore them to their original location if they are false positive.

As mentioned by Mick, you really need to focus on the source of those .tmp files, reinstalling the OS will just remove the issue but you should try to understand more about it in order to take proper security actions for the rest of the clients.

Regards,

Giuseppe

suren424's picture

Thanks guys.

I removed the computer from the network to understand the issue. i am going to run symhelp tool and work on that report.

"is to try to repair the file (if repairable) with new definitions or restore them to their original location if they are false positive"

Actually those files are temporary (.tmp)  files in the system32 folder.

How to repair the quarantined files ? Will the next scan ,scan the qurantined folder too ?

how to restore to original location if a file is quarantined?

 

Thanks again .

 

.Brian's picture

Go into your AV policy on the SEPM and select the "Quarantine" tab

You can set your configuration here on how you want to handle quarantined files.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.