This is refering to https://www.symantec.com/connect/forums/using-rest-api-getting-suspicious-files-endpoints-need-help
As per https://apidocs.symantec.com/home/saep#_send_a_suspicious_file_to_symantec_endpoint_protection_manager I was able to issue a "/api/v1/command-queue/files" command successfully which then returned the commandID.
Based on this ID I found the [BINARY_RESULTS_ID] in the [COMMAND] table with the given [COMMAND_ID] to run the "/api/v1/command-queue/file/{file_id}/content" successfully, too.
After saving the output so a file I was able to open the "archive" and saw two files:
- binary file
- metadata.xml
<?xml version="1.0" encoding="UTF-8"?>
<MetaFile>
<File Key="128" OriginalFileName="\\?\C:\Windows\System32\notepad.exe" OriginalFilePath="\\?\C:\Windows\System32" FileName="fa2258b2cc57610861ed1279079e2854cce6768178fe7b3e952a56a990403e66" FileSource="filesystem" FileXORed="true"/>
</MetaFile>
The only issue I'm facing now is that I'm unsure how to "convert" the binary file back to its original format (.exe)
I guess you would have to remove the XOR encryption.