Endpoint Protection

I have many 2008 servers which have been infected by various trojans starting over the last couple days.  How these spread I have no idea.  I've opened a case with Symantec and they want me to submit the files and tie them to the case but I can't.  Each time I attempt to restore them out of quarantine Symantec immediately puts them back in quarantine when I try to zip them up.  They've said you can submit them directly to Symantec in the quarantine page, but this is an anonymous submission and isn't tied to the case.  This is a very time sensitive issue, I need to know what kind of trojans these are so I can better understand the severity of our infection.  Does anyone know any way of how to isolate these files and zip them so I can get them to Symantec for analysis?  I have other teams that can analyze these as well, I just need to find a way to get at them.

See if this works

How to collect and submit to Symantec Security Response suspicious files found by the SymHelp utility

I ran that but it stated it needs an internet connection to examine the files before copying or moving them.  I have outside access blocked on that server for obvious reasons.  It gives you the option to save the report so you can view it and analyze the files on another computer with internet access, which I did, but when viewing the report on the other computer it didn't find any quarantined or infected files.

If you ran the threat analysis scan , it should've given you the option to save the files toa folder.

Ok, I figured out a way.  I temporarily disabled auto-protect (that was the service quarantining it), restored the infected file, zipped it immediately and copied it over to where I needed it, then re-scanned the restored file so it would return to quarantine.

It said because there was no internet connection I didn't have the option to manipulate the files, copy them, save them, etc.  Just save the overall report.