Endpoint Protection

 View Only
  • 1.  Symantec Central Quarantine API or CLI

    Posted Mar 17, 2014 06:14 AM

    Hi,

    I'm just wondering if there's a CLI/API for the Central Quarantine. I'm faced with a task to automatically extract all the quarantined objects, as soon as they've landed in the quarantine, and transmit them to a remote server (smb share) and I can't find a way to communicate with the software, other than the GUI. 

    Does anyone know of a binary capable of such a thing?

     



  • 2.  RE: Symantec Central Quarantine API or CLI

    Posted Mar 17, 2014 06:22 AM

    See this article on a few mentioned methods:

    http://www.symantec.com/docs/TECH150607



  • 3.  RE: Symantec Central Quarantine API or CLI

    Posted Mar 17, 2014 06:52 AM

    I'm not aware of any way to communicate with the Central Quarantine server outside of the Quarantine Console I'm afraid (and even then there's little to no documentation on how that is acheived).

    I'd suggest logging a case with Symantec to ask what options (if any) are available.  There's certainly no KB articles on a CLI for the QServer (from my quick search).



  • 4.  RE: Symantec Central Quarantine API or CLI

    Posted Mar 17, 2014 06:56 AM

    use the quarantine tool found in CD2

    Symantec has an unsupported tool called SEPQuarantineTool. This tool is attached to this knowledgebase article. Download the attached ZIP file and extract it before use.

    Note: The password to the ZIP file is: symantec

    To view instructions for using the utility, open the Command Prompt, navigate to the directory of SEPQuarantineTool.exe using the command cd (e.g., cd Desktop), and run the tool with the /? switch. Example: SEPQuarantineTool.exe /?



  • 5.  RE: Symantec Central Quarantine API or CLI

    Posted Mar 17, 2014 07:16 AM

    The documentation for both QExtract and SEPQuarantineTool say these are for the SEP Client, not for the QServer.

    To be fair, you could probably fudge the behaviour you're after by junctioning the below directory on the QServer to the SMB share you want it to place the quarantined item in, or setup a script to periodically scan and robocopy /mir the below folder to your SMB share:

    %Program Files%\Symantec\Quarantine\Server\Submissions

    Just be aware that they won't really be in a format suited for further analysis, but will merely be a backup copy of the quarantined files (i.e. they cannot be run).

    What's the end aim here?  Is a backup all you want?



  • 6.  RE: Symantec Central Quarantine API or CLI

    Posted Mar 18, 2014 08:14 AM

    Hi martinbe,

    I have to echo SMLatCST: what exactly are you trying to do/why do you want to extarct and store all those files? 

    Thanks in advance,

    Mick

     



  • 7.  RE: Symantec Central Quarantine API or CLI

    Posted Apr 11, 2014 06:53 AM

    Hi, thanks for all the answers, it shed some light upon this issue.

    The end aim is to get an executable binary on the smb share ready for analysis. I could extract the files in %Program Files%\Symantec\Quarantine\Server\Submissions, and transmit them to a client with SEP Client installed, extract the compressed files with either QExtract or SEPQuarantineTool and then transmit the binaries to my smb share. This might be the best possible way of doing this?

    Backup is not the purpose, I'm interested in obtaining the binary, info regarding: where on the filesystem it was detected, detection timestamp, a hash of the detected binary would be great (but I'm pretty certain that Symantec doesnt support it) and perhaps Symantec's malware classification (spyware/trojan/dropper/etc..).

    The QServer contain all of this information (except the hash) so I assume that its bundled with the compressed file before its transmitted to the QServer. Is that a fair assumption?

    I'm basically looking for Symantec QServer's counterpart to Microsofts mpcmdrun.exe, if there is one.