Video Screencast Help

Symantec Central Quarantine API or CLI

Created: 17 Mar 2014 | 6 comments

Hi,

I'm just wondering if there's a CLI/API for the Central Quarantine. I'm faced with a task to automatically extract all the quarantined objects, as soon as they've landed in the quarantine, and transmit them to a remote server (smb share) and I can't find a way to communicate with the software, other than the GUI. 

Does anyone know of a binary capable of such a thing?

 

Operating Systems:

Comments 6 CommentsJump to latest comment

.Brian's picture

See this article on a few mentioned methods:

http://www.symantec.com/docs/TECH150607

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SMLatCST's picture

I'm not aware of any way to communicate with the Central Quarantine server outside of the Quarantine Console I'm afraid (and even then there's little to no documentation on how that is acheived).

I'd suggest logging a case with Symantec to ask what options (if any) are available.  There's certainly no KB articles on a CLI for the QServer (from my quick search).

Rafeeq's picture

use the quarantine tool found in CD2

Symantec has an unsupported tool called SEPQuarantineTool. This tool is attached to this knowledgebase article. Download the attached ZIP file and extract it before use.

Note: The password to the ZIP file is: symantec

To view instructions for using the utility, open the Command Prompt, navigate to the directory of SEPQuarantineTool.exe using the command cd (e.g., cd Desktop), and run the tool with the /? switch. Example: SEPQuarantineTool.exe /?

SMLatCST's picture

The documentation for both QExtract and SEPQuarantineTool say these are for the SEP Client, not for the QServer.

To be fair, you could probably fudge the behaviour you're after by junctioning the below directory on the QServer to the SMB share you want it to place the quarantined item in, or setup a script to periodically scan and robocopy /mir the below folder to your SMB share:

%Program Files%\Symantec\Quarantine\Server\Submissions

Just be aware that they won't really be in a format suited for further analysis, but will merely be a backup copy of the quarantined files (i.e. they cannot be run).

What's the end aim here?  Is a backup all you want?

Mick2009's picture

Hi martinbe,

I have to echo SMLatCST: what exactly are you trying to do/why do you want to extarct and store all those files? 

Thanks in advance,

Mick

 

With thanks and best regards,

Mick

martinbe's picture

Hi, thanks for all the answers, it shed some light upon this issue.

The end aim is to get an executable binary on the smb share ready for analysis. I could extract the files in %Program Files%\Symantec\Quarantine\Server\Submissions, and transmit them to a client with SEP Client installed, extract the compressed files with either QExtract or SEPQuarantineTool and then transmit the binaries to my smb share. This might be the best possible way of doing this?

Backup is not the purpose, I'm interested in obtaining the binary, info regarding: where on the filesystem it was detected, detection timestamp, a hash of the detected binary would be great (but I'm pretty certain that Symantec doesnt support it) and perhaps Symantec's malware classification (spyware/trojan/dropper/etc..).

The QServer contain all of this information (except the hash) so I assume that its bundled with the compressed file before its transmitted to the QServer. Is that a fair assumption?

I'm basically looking for Symantec QServer's counterpart to Microsofts mpcmdrun.exe, if there is one.