Endpoint Protection

I had all SEP RU5 clients configured for the default local quarantine path. I had been getting a number of "Unknown" Security Risks found, which were reported as "Quarantined". However, when I looked in the Quarantine folder, it was empty.  I have default policies to keep quarantined files for 30 days, etc.

So, in order to get the files, I installed and configured the Quarantine Server, which seems to be working at this point.  However, I got more of the same "Unknown Security Risk found" items quarantined last night. They are not in the local folder and they are not on the quarantine server.

I have all policies set to clean, then quarantine. TruScan is set to Quarantine. Quarantine is not set to restore or repair the file

How can I determine what's happening to these files and where they are going?

Here's the email notification text:

At least one security risk found:
Risk name: (Unknown)
File path: c:\windows\system32\winsrv.exe Event time: 2010-11-30 09:10:25 GMT Database insert time: 2010-11-30 09:12:40 GMT
User: SYSTEM
Action taken on risk: Quarantined
 

This article explains it all :)

How to Manage Quarantined files.
http://www.symantec.com/business/support/index?page=content&id=TECH106443&locale=en_US

when the current definitions cant clean the files; those will be quarentined; next time when new defs are arrived; clients are cleaned and put back where they were.thats why they disappear :)

Thanks for the link.  This explains why the items are not going to the Q-Server:  "Note: Only the quarantined items that are detected by antivirus and antispyware scans may be sent to a Central Quarantine Server. Quarantined items that are detected by proactive threat scans cannot be sent."

But all other Quarantine policies are set to leave alone/do nothing. Cleanup is set to 30 days/50Mbs. So the quarantined files should not be deleted from quarantine, they should not be restored, either.

I wondere if similar is true for PTP scans -the files don't get quarantined, simply deleted.  Problem is, I need these files.

What you describe is the default policy, however, I don't have this enabled. My policy for "When New Virus Definitions Arrive" is set to "Do Nothing".  None of the Repair or Restore settings are selected, so it shouldn't be restoring anything.  Also, in the Cleanup section, I've set everything to delete after 30 days/50MBs. These thresholds are not being reached.

Even though I know that these files are not repairable, I searched for them and was unable to locate them, so I've verified they are not being restored.

Do you have Auto-Protect configured to "Delete newly created infected files if the action is 'Leave alone (log only)"on AntiVirus and AntiSpyware policy?

This is configured under "File System Auto-Protect" under the AV/AS policy, then click the "Advanced Scanning and Monitoring" button.

There is a known issue with having this enabled where we will see files were detected and quarantined in the logs, but there are not any related files in the quarantine nor found anywhere on the system. This is slated to be resolved in RU6MP2.

 

Ah. Yes, I do have that selected.  However, I do not have any other options set to "Leave Alone".

So what is the expected behavior if I de-select this? Will newly created infected files be left alone or quarantined?

If you deselect this option they will go by the policy and quarantine the file, yes.

Also based on information from our developers regarding this issue, it does not seem to impact 64-bit SEP clients, only 32-bit.

test post