Hi all,

         I have a file that SEP has quarantined as it is malicious but I need to retrieve it as it is required for testing as well by our analyst's in a safe VM area. Does any one know how I can retrieve this file from SEP as it keeps re quarantining it when I select the file for a restore so i can zip it up and pass it on to them?

Cheers

PaulC

You might need to put in a temporary exception for the folder location where it unquarantines the file to. 

Or 

Disable SEP for a short time while you collect the file and submit to symantec. 

File Restoration from the client GUI:
1. Open the Symantec Endpoint Protection interface.
2. From the left-hand side menu Select View quarantine
3. Highlight the item in Quarantine, and choose Restore.
4. Confirm Restore when prompted to do so 'Are you sure you want to restore the selected files'?, choose Yes

Restoring a false positive file detection from the Symantec Endpoint Protection quarantine

https://support.symantec.com/en_US/article.TECH150607.html

le Restoration using SEPQuarantineTool.exe (SEP 12.1 only):

Symantec has an unsupported tool called SEPQuarantineTool. This tool is attached to this knowledgebase article. Download the attached ZIP file and extract it before use.

Note: The password to the ZIP file is: symantec

To view instructions for using the utility, open the Command Prompt, navigate to the directory of SEPQuarantineTool.exe using the command cd (e.g., cd Desktop), and run the tool with the /? switch. Example: SEPQuarantineTool.exe /?

Rafeeq's explenantion is more detailed :) 

When you do the restore it should ask if you want to put in an exception for this file.

Hi all. So the file is a definate a security risk. But I need it as a sample for our own sec analyst. I want to un quarantine it, then zip it up in a password protected file. I do not want to add any exceptions for it and it is most definately not a false/positive So my question I suppose should have been where is this quaratined file stored; in what encrypted format is it, and can recover it to give to our sec analyst to play with?

cheers

PaulC

Create a folder on your desktop and give it an appropriate name to identify it is bad. Set up a temporary exclusion in SEP for the folder and restore the file to this folder. Zip the file and encrypt with a password. Remove the excecption after all is complete.

I do this locally so as not to affect other clients or make changes to a global policy.

See here for options:

Restoring a false positive file detection from the Symantec Endpoint Protection quarantine

Symantec has a tool called qextract but it only worked for SEP 11.

SEPQuarantineTool.exe works for 12.1 and is on the download page in the link above. 

you can restore it to any Excluded Folder on the Machine. 

Thanks Brian and Rafeeq. I am with it now. I just needed to engage my brain really :)

Cheers

PaulC

You're welcome, Paul. Take care.

-Brian