Manage Quarantined files with Endpoint Protection
search cancel

Manage Quarantined files with Endpoint Protection

book

Article ID: 151677

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

How to manage quarantined items in the Quarantine Folder?


Cause

Items are in Quarantine.

Resolution

Managing quarantined files includes the following:
 

  • Specifying a local quarantine directory
  • Submitting quarantined items to Symantec
  • Configuring actions to take when new definitions arrive


About Quarantine settings:

You use the Virus and Spyware Protection policy to configure client Quarantine settings.

You manage Quarantine settings as an important part of your virus outbreak strategy.

Specifying a local Quarantine directory:

If you do not want to use the default quarantine directory (C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Quarantine) to store quarantined files on client computers, you can specify a different local directory. You can use path expansion by using the percent sign when you type the path. For example, you can type %COMMON_APPDATA%. Relative paths are not allowed.

The software supports the following expansion parameters:

%COMMON_APPDATA% - This path is typically C:\Documents and Settings\All Users\Application Data

%PROGRAM_FILES% - This path is typically C:\Program Files

%PROGRAM_FILES_COMMON% - This path is typically C:\Program Files\Common

%COMMON_PROGRAMS% - This path is typically C:\Documents and Settings\All Users\Start Menu\Programs

%COMMON_STARTUP% - This path is typically C:\Documents and Settings\All Users\Start Menu\Programs\Startup

%COMMON_DESKTOPDIRECTORY% - This path is typically C:\Documents and Settings\All Users\Desktop

%COMMON_DOCUMENT% - This path is typically C:\Documents and Settings\All Users\Documents

%SYSTEM% - This path is typically C:\Windows\System32

%WINDOWS% - This path is typically C:\Windows

To specify a local quarantine directory:
 

  1. On the Policies tab, click on the Virus and Spyware Protection Policy, right click on the policy and then edit. From within the policy under Advanced Options click Quarantine.
  2. On the General tab, under Local Quarantine Options, click Specify Quarantine Directory.
  3. In the text box, type the name of a local directory on the client computers. You can use path expansion by using the percent sign when typing in the path. For example, you can type %COMMON_APPDATA%, but relative paths are not allowed.
  4. If you are finished with the configuration for this policy, click OK.

Configuring automatic clean-up options:

When the client software scans a suspicious file, it places the file in the local Quarantine folder on the infected computer. The Quarantine clean-up feature automatically deletes the files in the Quarantine when they exceed a specified age. The Quarantine clean-up feature automatically deletes the files in the Quarantine when the directory where they are stored reaches a certain size.

You can configure these options using the Virus and Spyware Protection Policy. You can individually configure the number of days to keep repaired, backup, and quarantined files. You can also set the maximum directory size that is allowed before files are automatically removed from the client computer.

You can use one of the settings, or you can use both together. If you set both types of limits, then all files older than the time you have set are purged first. If the size of the directory still exceeds the size limit that you set, then the oldest files are deleted one by one. The files are deleted until the directory size falls below the limit. By default, these options are not enabled.

To configure automatic clean-up options:

  1. On the Policies tab, click on the Virus and Spyware Protection Policy, right click on the policy and then edit. From within the policy under Advanced Options click Quarantine.
  2. On the Cleanup tab, under Repaired files, check or uncheck Enable automatic deleting of repaired files.
  3. In the Delete after box, type a value or click an arrow to select the time interval in days.
  4. Check Delete oldest files to fit directory size limit, and then type in the maximum directory size, in megabytes. The default setting is 50 MB.
  5. Under Backup files, check or uncheck Enable automatic delete of backup files.
  6. In the Delete after box, type or click an arrow to select the time interval in days.
  7. Check Delete oldest files to fit directory size limit, and then type the maximum directory size, in megabytes. The default is 50 MB.
  8. Under Quarantined Files, check or uncheck Enable automatic deleting of quarantined files that could not be repaired.
  9. In the Delete after box, type a value or click an arrow to select the time interval in days.
  10. Check Delete oldest files to fit directory size limit, and then type in the maximum directory size, in megabytes. The default is 50 MB.
  11. If you are finished with the configuration for this policy, click OK.

Submitting quarantined items to a central Quarantine Server:

**Note: As of 14.3 RU2, you can no longer use the Central Quarantine Server. Instead, the client submits quarantined files to the SEPM**

You can enable items in Quarantine to be forwarded from the local Quarantine to a Central Quarantine Server. You should configure the client to forward items if you use a Central Quarantine Server in your security network. The Central Quarantine Server can forward the information to Symantec Security Response. Information that clients submit helps Symantec determine if a detected threat is real.

Note: Only the quarantined items that are detected by antivirus and antispyware scans may be sent to a Central Quarantine Server. Quarantined items that are detected by proactive threat scans cannot be sent.

To enable submission of quarantined items to a Quarantine Server:
 

  1. On the Antivirus and Antispyware Policy page, click Submissions.
  2. Under Quarantined Items, check Allow client computers to automatically submit quarantined items to a Quarantine Server.
  3. Type the name of the Quarantine Server.
  4. Type the port number to use, and then select the number of seconds to retry connecting.
  5. If you are finished configuring settings for this policy, click OK.


Submitting quarantined items to Symantec:

You can enable the client software to allow users to submit infected or suspicious files and related side effects to Symantec Security Response for further analysis. When users submit information, Symantec can refine its detection and repair. Files that are submitted to Symantec Security Response become the property of Symantec Corporation. In some cases, files may be shared with the antivirus.
community. If Symantec shares files, Symantec uses industry-standard encryption and may make data anonymous to help protect the integrity of the content and your privacy. In some cases, Symantec might reject a file. For example, Symantec might reject a file because the file does not seem to be infected. You can enable the resubmission of files if you want users to be able to resubmit selected files. Users can resubmit files once per day.

To enable submission of quarantined items to Symantec
 

  1. On the Antivirus and Antispyware Policy page, click Submissions.
  2. Under Quarantined Items, check Allow client computers to manually submit quarantined items to Symantec Security Response.
  3. If you are finished with the configuration for this policy, click OK.


Configuring actions to take when new definitions arrive:

You can configure the actions that you want to take when new definitions arrive on client computers. By default, the client rescans items in the Quarantine and automatically repairs and restores items silently. Typically, you should always use this setting.

To configure actions for new definitions
 

  1. On the Policies tab, click on the Virus and Spyware Protection Policy, right click on the policy and then edit. From within the policy under Advanced Options, click Quarantine.
  2. On the General tab, under When new virus definitions arrive, click one of the following options:
      • Automatically repair and restore files in Quarantine silently
      • Repair files in Quarantine silently without restoring
      • Prompt user
      • Do nothing
  3. If you are finished with the configuration for this policy, click OK.

Note: This functionality is limited to only detections that have been whitelisted via definitions. Exceptions or Reputation do not provide this functionality.


References

Managing the quarantine for Windows clients
Administration Guide for MR3 - Page 398 - 402