Video Screencast Help

SEP 11 file quarantine (Help needed!)

Created: 01 May 2012 | 3 comments

                         I have been looking for but have not yet found a solution to a situation that I would like to deal with. There are a number of files which have been deemed potentially harmful to the computers in my environment. I would like to use SEP to quarantine them if it finds these particular files of my choosing. I have the file names and their hashes, but I don't know how to get the SEP console to quarantine these files for me. Is there a place in the console to upload the hashes to get SEP to be on the lookout for the files on my behalf? So I don't have to create a script to scan every filesystem in my environment.

 

Thanks!

Greg

Comments 3 CommentsJump to latest comment

Thomas K's picture

You can block applications using the MD5 hash, but you cannot force SEP to quarantine files. Only files that appear to be threats (from AV signatures) will be quarantined.

How to block applications in SEP using MD5 -

https://www-secure.symantec.com/connect/forums/how...

 

If you have suspected files that SEP is not catching, please submit these to Security Response for analysis.

http://www.symantec.com/security_response/submitsa...

greg12's picture

SEP 11 cannot do that, but SEP 12.1 is able to quarantine "learned applications" by means of an entry in the Exception policy.

mon_raralio's picture

I suggest doing what Thomas K recommends. Setting a policy on the Application Control is almost like putting a file to quarantine as it prevents them from being read or executed. And submitting a sample to Symantec would ensure that they will be treated (quarantined) in the future.

There is an option to manually put it to quarantine, but you have to do it manually on the PC.

Haven't thoroughly tested the 12.1 features to confirm the application learning and black/whitelisting part.

“Your most unhappy customers are your greatest source of learning.”