Endpoint Protection

 View Only

  • 1.  Process Symantec SEP 11 Quarantine files

    Posted Mar 04, 2011 09:45 AM

    Hi,

    I have a requirement to extract all quarantined files from the quarantine folder of the central server. Due to internal restrictions we cannot submit these files to Symantec directly. We have about 1000 samples per month that we need to extract and submit to our SOC for internal classification. Is there a way to extract the VBN files and folders and restore the suspected malware sample?

    Thanks,

    Dean De Beer



  • 2.  RE: Process Symantec SEP 11 Quarantine files

    Posted Mar 04, 2011 10:45 AM

    Not sure if you can extract it.

    if you open the sep interface and select restore are u able to extract those files?

    http://www.symantec.com/connect/forums/need-info-about-structure-symantec-quarantine-files-vbn



  • 3.  RE: Process Symantec SEP 11 Quarantine files

    Posted Mar 04, 2011 11:13 AM

    Hi,

    Thanks for the response. We need to be able to restore/extract the files from the central quarantine server to a different location. It's my understanding that Qextract only works on the endpoint and in this case that would not be feasable.

    Thanks,



  • 4.  RE: Process Symantec SEP 11 Quarantine files

    Posted Mar 04, 2011 11:59 AM

    The VBN files related to quarantined detections are encrypted. The decryption is not publicly available, for security reasons.

    You could set the action for files that are detected to only log, which would allow you to manually locate the files, however this would be at the cost of security since these detections would only be logged. This does leave the possibility of an active risk being able to spread if the logs are not received quickly enough.



  • 5.  RE: Process Symantec SEP 11 Quarantine files

    Trusted Advisor
    Posted Mar 04, 2011 12:02 PM

    Hello,

    I agree with Kurt.

    However, check this

    Can you restore Symantec Endpoint Protection (SEP) 11.x quarantined .vbn files with Qextract.exe?

    http://www.symantec.com/business/support/index?page=content&id=TECH103046&actp=search&viewlocale=en_US&searchid=1299258391439

     

    I would still say install Central Quarantine Server.

    The Quarantine Server receives virus and security risk submissions from Symantec Endpoint Protection clients and forwards these submissions to Symantec. The Quarantine Console lets you manage the Quarantine Server and these submissions. If you determine that your network requires a central location for all quarantined files, you can install the Central Quarantine.

    This will atleast solve your one purpose to get the .vbn files of the server and locate all of them to a central location.

    The Central Quarantine is composed of the Quarantine Server and the Quarantine Console. The Quarantine Console and the Quarantine Server can be installed on the same or different supported Windows computers

    Here are the Symantec Knowledgebase for the same.

    1) System requirements for the Central Quarantine Server

    http://www.symantec.com/business/support/index?page=content&id=HOWTO26660&actp=search&viewlocale=en_US&searchid=1299257409927

    2) Installing and configuring the Central Quarantine

    http://www.symantec.com/business/support/index?page=content&id=TECH105496&actp=search&viewlocale=en_US&searchid=1299257409927

    3) Configuring Central Quarantine and quarantined files

    http://www.symantec.com/business/support/index?page=content&id=HOWTO26734&actp=search&viewlocale=en_US&searchid=1299257409927

    4) Central Quarantine and reviewing sample submission status.

    http://www.symantec.com/business/support/index?page=content&id=TECH96211&actp=search&viewlocale=en_US&searchid=1299257409927

    5) Setting up Symantec Endpoint Protection clients to forward infected files to a Central Quarantine Server.

    http://www.symantec.com/business/support/index?page=content&id=TECH104755&actp=search&viewlocale=en_US&searchid=1299257409927

    6) About using policies to manage items in the Quarantine

    http://www.symantec.com/business/support/index?page=content&id=HOWTO27188&actp=search&viewlocale=en_US&searchid=1299257409927



  • 6.  RE: Process Symantec SEP 11 Quarantine files

    Posted Mar 04, 2011 12:57 PM

    Thanks Kurt, Mithun,

    Central Quarantine Server is installed and is currently receiving about 1000 submissions a month. The issue with submitting them up to Symantec is that due to the nature of the org we cannot allow samples to leave the network.

    Is there no ability to use Qextract.exe on the Central Quarantine? 

    Thanks,

    Dean



  • 7.  RE: Process Symantec SEP 11 Quarantine files
    Best Answer

    Trusted Advisor
    Posted Mar 04, 2011 01:20 PM

    Hello,

    Qextract tool which is compatible with Symantec Endpoint Protection 11.0 is basically a Non-Supported Tool.

    This tool is useful for accessing, restoring and performing other such actions from the command line, on quarantined files.
     

    Qextract for Symantec Endpoint Protection 11.0

    http://www.symantec.com/business/support/index?page=content&id=TECH95328&locale=en_US

     

    There is no ability to use Qextract.exe on the Central Quarantine specifically. I personally would would say, try it and test it yourself.



  • 8.  RE: Process Symantec SEP 11 Quarantine files

    Posted Mar 04, 2011 01:38 PM

    Cheers,

    We'll give it a try and see what happens.

    Thanks for the quick responses.

    Dean