Restoring a false positive file detection from the Endpoint Protection quarantine
Last Updated July 01, 2019
Symantec Endpoint Protection (SEP) identifies a file as malicious and quarantines the file, however, the administrator determines that this is a False Positive detection and submits the file to Symantec Security Response for review. After review, Symantec issues new definitions that no longer make that detection. Upon receipt of the new definitions, SEP accomplishes a scan of the quarantine.
Even though the Quarantine options are set to repair, the file remains in quarantine and is not restored to its original location.
Symantec Endpoint Protection has the functionality to repair and restore files from quarantine only if they are infected, and that the repair of the file is actually possible.
In the case of a False Positive (FP), there is nothing to repair, so the file remains in quarantine.
Please note that enhancements were made to SEP in the 12.1 RU3 release, which allow for clients on 12.1 RU3 or newer to restore False Positives from Quarantine (see the section labeled "File Restoration using SEP (SEP 12.1 RU3 and later only)" in the Solution portion of this document).
Files can be restored from Quarantine manually via the product GUI or using the QExtract tool.
File Restoration from the SEP client GUI (SEP 11 and 12.1):
Open the Symantec Endpoint Protection interface.
From the left-hand side menu Select View Quarantine
Highlight the item in Quarantine, and choose Restore.
Confirm Restore when prompted to do so 'Are you sure you want to restore the selected files'?, choose Yes.
File Restoration using QExtract (SEP 11 only): Symantec has an unsupported tool called QExtract, located under Tools\NoSupport folder of the installation CD.
Please carefully review the QuarantineExtract.html file that comes with the tool on how to use it.
This utility can be used to restore files from multiple systems.
File Restoration using SEPQuarantineTool.exe (SEP 12.1 only):
Symantec has an unsupported tool called SEPQuarantineTool. This tool is attached to this knowledgebase article. Download the attached ZIP file and extract it before use.
Note: The password to the ZIP file is: symantec
To view instructions for using the utility, open the Command Prompt, navigate to the directory of SEPQuarantineTool.exe using the command cd (e.g., cd Desktop), and run the tool with the /? switch. Example: SEPQuarantineTool.exe /?
File Restoration using SEPM (SEP 12.1 RU3 and later only) and manually excluding the file via an "Allow Application" exception:
WARNING: Symantec strongly recommends to wait with the creation of an "Allow Application" exclusion until you are 100% sure that the detected file is actually a False Positive. By excluding the file in this manner, you are excluding the file from all protection technologies and anywhere on the affected system(s).
Open the Symantec Endpoint Protection Manager (SEPM).
Select Monitors > Logs.
Under Log type select Risk, specify the time range as needed, and then click the View Log button.
Select the Risk that is the FP and then click on the Plus icon under Action and click on Allow Application
Choose Add risk to Exceptions policy.
Choose either Add items to an existing Exceptions policy or Add items to a new Exceptions policy and click the Save Changes button.
Allow time for the policy to be deployed to the SEP Clients and for the SEP Clients to update the policy.
The SEP client will automatically restore the new Application Exception or Known Security Risk.
Verify the restore actions were taken on the client in View Quarantine in the SEP Client interface.
File Restoration using SEP (SEP 12.1 RU3 and later only) and the automatic repair and restore files in Quarantine functionality:
Update the Virus Definitions on the affected client(s) to a version in which the FP was corrected.
Once the client receives the updated virus definitions from LiveUpdate or the SEPM, it should re-scan its quarantine automatically and restore the item from Quarantine.
Please ensure that the option to "Automatically repair and restore files in Quarantine silently" is checked within the Virus and Spyware Protection policy under "Advanced Options, Quarantine".
Note: If the detection is not a Security Risk which default Auto-Protect first action is Quarantine risk. It may be necessary to change the Auto-Protect first action for Malware or Virus to Quarantine risk instead of Clean Risk which is default. The Auto-Protect actions are configurable in the Virus and Spyware Protection policy Auto-Protect section under the Actions tab.