Endpoint Protection

A SEP 14.2 client has quarantined a file on my computer after a recent definition update and a full scan. Scans with pevious definition updates had not flagged the file. I am now having issues with getting this file out of quarantine for analysis. I have restored the file from the SEP UI, but I am still not seeing the file in its original location. I understand that the default config of SEP is to delete files that have been in quarantine for more than 30 days, but this file has only been in quarantine for a few days. Can someone please give me some tips on getting this file from quarantine? Thank you.

Hi Poko,

Thanks for the post.  One possible easy solution: check your SEPM logs to see what the SHA256 hash is of the file that was detected.  Then check that on virustotal.com.  Does it have a very poor reputation/many detections-?  If not then perhaps submit the file to Symantec's False Positive portal for a second look.  It is now possible to submit via public hash: no need to send in a .vbn file or original.

Please do keep this thread up-to-date with your progress! 

I managed to fix my issue. The file was being restored, but it was a hidden file. I had enabled the option to show hidden files or folders, but I also had to uncheck the option to hide important operating system files. Once I did that, I made an exception for its parent folder and zipped up the file in an encrypted .zip file. The file will be analyzed internally, but I will also check the file hash on VirusTotal. Thank you for your help!