Restoring a false positive file detection from the Endpoint Protection quarantine
search cancel

Restoring a false positive file detection from the Endpoint Protection quarantine

book

Article ID: 153758

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Symantec Endpoint Protection (SEP) identifies a file as malicious and quarantines the file, however, the administrator determines that this is a False Positive detection and submits the file to Symantec Security Response for review.  After review, Symantec issues new definitions that no longer make that detection. Upon receipt of the new definitions, SEP accomplishes a scan of the quarantine.

Even though the Quarantine options are set to repair, the file remains in quarantine and is not restored to its original location.

Cause

Symantec Endpoint Protection has the functionality to repair and restore files from quarantine only if they are infected, and that the repair of the file is actually possible.

In the case of a False Positive (FP), there is nothing to repair, so the file remains in quarantine.

Resolution

Files can be restored from Quarantine manually via the product GUI or using the QExtract tool.

 

File Restoration from the SEP client GUI:

  1. Open the Symantec Endpoint Protection interface.
  2. From the left-hand side menu Select View Quarantine
  3. Highlight the item in Quarantine, and choose Restore.
  4. Confirm Restore when prompted to do so 'Are you sure you want to restore the selected files'?, choose Yes.

 

File Restoration using QExtract :

Symantec has an unsupported tool called QExtract, located under Tools\NoSupport folder of the installation CD.

Please carefully review the QuarantineExtract.html file that comes with the tool on how to use it. This utility can be used to restore files from multiple systems.

The tool must be run from the "bin" directory (C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\<version>\Bin)

File Restoration using SEPM and manually excluding the file via an "Allow Application" exception:

  • WARNING: Symantec strongly recommends to wait with the creation of an "Allow Application" exclusion until you are 100% sure that the detected file is actually a False Positive. By excluding the file in this manner, you are excluding the file from all protection technologies and anywhere on the affected system(s).
  1. Open the Symantec Endpoint Protection Manager (SEPM).
  2. Select Monitors > Logs.
  3. Under Log type select Risk, specify the time range as needed, and then click the View Log button.
  4. Select the Risk that is the FP and then click on the Plus icon under Action and click on Allow Application
  5. Choose Add risk to Exceptions policy.
  6. Choose either Add items to an existing Exceptions policy or Add items to a new Exceptions policy and click the Save Changes button.
  7. Allow time for the policy to be deployed to the SEP Clients and for the SEP Clients to update the policy.
  8. The SEP client will automatically restore the new Application Exception or Known Security Risk.
  9. Verify the restore actions were taken on the client in View Quarantine in the SEP Client interface.

File Restoration using SEP and the automatic repair and restore files in Quarantine functionality:

  1. Update the Virus Definitions on the affected client(s) to a version in which the FP was corrected.
  2. Once the client receives the updated virus definitions from LiveUpdate or the SEPM, it should re-scan its quarantine automatically and restore the item from Quarantine.

    Please ensure that the option to "Automatically repair and restore files in Quarantine silently" is checked within the Virus and Spyware Protection policy under "Advanced Options, Quarantine".

Note: If the detection is not a Security Risk which default Auto-Protect first action is Quarantine risk. It may be necessary to change the Auto-Protect first action for Malware or Virus to Quarantine risk instead of Clean Risk which is default. The Auto-Protect actions are configurable in the Virus and Spyware Protection policy Auto-Protect section under the Actions tab.