Endpoint Protection

Hi Everyone,

It's my fist post here. Thanks for your understanding.

We use SEPM 11.07 RU7 version. During last 6 months, i have i have alot of "virus" detections who is about .qsp files:

http://www.symantec.com/business/support/index?page=content&id=TECH173652

As this link talk about, my console config allow client to automatically submit those quarantined items to my quarantine server. After some searching, i read that it become useless to use a quarantine server when you have more than 5000 clients:

http://www.symantec.com/business/support/index?page=content&id=TECH104755

I have no problem to disable the submitting function to my quarantine sever. But really don't want to let my clients submit manually the quarantine fils to Symantec Security Response.

My question: Is there a way to configure the console to allow the clients to submit AUTOMATICALLY quarantined files to Symantec Security Response?

And wich port this solution will use to send and receive data?

Thanks in advance!

Have a look at the guide for it:

Attachment(s)

central_quarantine.pdf   274 KB 1 version

Under miscellenious option in the AV/AS policy you have that option

1. On the Antivirus and Antispyware Policy page, click Submissions.
2. Under Quarantined Items, check Allow client computers to manually submit quarantined items to Symantec Security Response.
3. If you are finished with the configuration for this policy, click OK.

its a web submission so basically 80/443 would work

Rafeeq, thanks for your anwser, but, it's excatly what i don't want to do. I plan to uninstall my quarantine server because it's useless over 5000 cilents, and i don't want to let clients to submit manually quarantined files directly to Symantec (outside my LAN). I want to configure the polices to allow clients to submit AUTOMATICALLY to Symantec.

If i uncheck both options ("Allow client computers to manually submit quarantined items to Symantec Security Response" AND "Allow client computers to autonatically submit quarantined items to Quarantine Server") will send automatically to Symantec?

You need to check "Allow client computers to manually submit quarantined items to Symantec Security Response"

and Uncheck " Allow client computers to autonatically submit quarantined items to Quarantine Server")

If you check "Allow client computers to manaually submit quarantined items to Symantec Security Response" than they will send automatically.

ok, and this way, all files who are put in quarantine on a clients will be automatically send to Symantec (ouside my LAN)?

Ok, thnaks guys.

And what do you think to not use a quarantine server even if i have more than 5000 clients?

That is correct

I would follow what Symantec says. See here:

Best Practices for using Quarantine Server in a Symantec Endpoint Protection environment

per the article:

It is not recommended that Quarantine Server be used in smaller SEP environments of less than 10,000 clients.

Note: When the maximum number of samples have been received by Quarantine Server, no new samples will be accepted until a Rapid Release definition set has been downloaded to remediate any given suspected sample. Because Quarantine Server cannot actually install Rapid Release definitions on SEP clients, the administrator will have to manually purge the list of samples to receive the latest suspected threats in their environment, This may have to be performed on a daily basis in large environments.

That requires a dedicated server with 24/7 internet connection. With all those clients submitting samples, the BW utilization at any point will be more within your network (10k clients sending updates) , thats why they say its only useful when you have a huge network and good BW.

Thanks, confirm that i will go without a Quarantine Server in my environnment!