Endpoint Protection

SEP 12.1.5 detected some infected files.  When I go to View Quarantine, 2 files have a Type of "Quarantine", and 2 files have a Type of "Backup".  What does "Backup" type mean?  The Status of all files is "Infected" and a Risk identified, so not sure why some are Type=Quarantine as expected and others marked "Backup".  A web search only turns up a definition for Backup type as:

"Symantec Endpoint Protection placed an item into Quarantine before a repair attempt"

That doesn't really provide a clear explanation.  When I click a file with Type=Backup, the Submit button is disabled, which adds further to the mystery.

SEP makes a copy of the infected file(s) and holds them in quarantine. When newer definitions load later on, SEP will try to repair/clean anything in quarantine with the newer definitions and return it back to where it was on  the file system, if possible.

See these links:

http://www.symantec.com/docs/HOWTO80952

http://www.symantec.com/docs/HOWTO80950

http://www.symantec.com/docs/HOWTO80954

If you enable the Action "Repair", then SEP clients will backup the infected file by default before they try to repair it. The repair can fail so it's better to have an (infected) backup than nothing. Otherwise, if the SEP client performs a "Quarantine" action, the type of the saved file is "Quarantine". After a "Clean" action, nothing will be quarantined or saved.

You can enable or disable the backup feature in SEPM (shared policy):

Policies > Virus and Spyware Protection > Choose policy > Auto-Protect > Actions > Back up files before attempting to repair them

The identical setting is available for Administrator-Defined Scans as well. And you can switch the setting with the client GUI if it isn't locked via SEPM.