Endpoint Protection

 View Only
  • 1.  SEP Quarantine Query

    Posted Oct 19, 2020 04:39 PM
    Hi Everyone, is it possible for us to forward all items which are detected as infected and quarantined by the SEP agent to a different server where our security team can analyze those files? Is it possible to do so ? if yes then please share steps.

    Thanks

    ------------------------------
    Symantec Enthusiast
    ------------------------------


  • 2.  RE: SEP Quarantine Query

    Posted Oct 20, 2020 02:43 AM
    You can do this with a SIEM or Syslog server. If you use ArcSight for example, it can connect to the SEP database to get the logs or if you use Syslog server you can forward the logs to it as explained below:

    https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/Monitoring-Reporting-and-Enforcing-Compliance/viewing-logs-v7522439-d37e464/exporting-data-to-a-syslog-server-v8442743-d15e1107.html


  • 3.  RE: SEP Quarantine Query

    Posted Oct 21, 2020 01:10 AM
    With the Symantec EDR addon you can pull the quarantined files from the agents local quarantine remotely.

    Symantec used to have a central quarantine server, but it was EOL years ago.

    ------------------------------
    Syscom AS
    ------------------------------



  • 4.  RE: SEP Quarantine Query

    Posted May 15, 2021 01:09 PM

    Symantec finally released a central way to collect malicious files from quarantine in SEP 14.3 RU2!

    • Ability for administrators to retrieve quarantined files on remote SEP clients from the Symantec Endpoint Protection Manager console. These malicious files can be used for further investigating and sandboxing. To upload the quarantined file, check the
      Admin
      >
      Domains
      >
      Edit Domain Properties
      >
      General
      tab >
      Upload quarantined files from the clients
      option. This option automatically uploads all quarantined files from the clients. You can then select and retrieve individual files from the Risk log using the
      Download file that the client quarantined
      command. The management server no longer supports old versions of the Central Quarantine Server, so the Virus and Spyware Protection policy >
      Quarantine > Quarantined Items
      options were removed.

    https://techdocs.broadcom.com/us/en/symantec-security-software/endpoint-security-and-management/endpoint-protection/all/release-notes/Whats-new-for-Symantec-Endpoint-Protection-14_3-RU2.html



    ------------------------------
    Syscom AS
    ------------------------------