Endpoint Protection

  • Private Community
 View Only

  • 1.  Remotely retrieving quarantined files from client

    Posted Feb 28, 2018 03:32 PM

    Just curious how other folks out there are managing retrieval of items from quarantine on client machines.   I've read about Qextract and SEP Quarantine Tool,  but I've never been able to effectively use those to pull a sample from a remote machine.  Any suggestions on how to more effectively use those tools is appreciated.

    Currently,  we still utilize Central Quarantine 3.6.   It works most of the time,  but I'm well aware that Symantec has stated for years that this product is no longer supported and will not be actively developed.  This seems like a huge misstep in my opinion.  For an enterprise security team,  being able to retrieve samples to perform additional analysis is of utmost importance.  Other solutions like Cylance facilitate analysis by making samples retrievable from the console,  running strings against them, etc.  From what I can see Symantec is failing in this regard.



  • 2.  RE: Remotely retrieving quarantined files from client

    Posted Mar 01, 2018 11:46 AM

    Pretty much the two options you mentioned. I'm not aware of anything else.



  • 3.  RE: Remotely retrieving quarantined files from client

    Posted Mar 01, 2018 11:52 AM

    Brian,  can you provide any specific guidance on how to succesfully use one of these tools to pull a quarantined file from a remote computer?



  • 4.  RE: Remotely retrieving quarantined files from client

    Posted Mar 01, 2018 11:53 AM

    http://www.symantec.com/docs/TECH150607



  • 5.  RE: Remotely retrieving quarantined files from client

    Posted Mar 01, 2018 12:03 PM

    I've seen that article,  but it doesn't really answer my question.  SEP 14 only comes with QExtract in the "NoSupport" folder.  The linked article states this is only for use with SEP11.   The only mention of connecting to remote machines in the "QuarantineExtract.html" documentation is the following:

    "You can quickly restore files from the Quarantine across your network. To run the tool on multiple client computers, you can use a login script, Symantec Network Access Control, or a third-party application. Typically, you use the /FILE and /RISK options for restoration across a network."

    Am I to interpret this to mean I have to copy this tool locally to each machine and execute it via a script or task?  That's a really terrible solution to this problem.



  • 6.  RE: Remotely retrieving quarantined files from client

    Posted Mar 13, 2018 01:01 PM

    Bump for other thoughts.



  • 7.  RE: Remotely retrieving quarantined files from client

    Posted Mar 13, 2018 01:08 PM

    You can use the SEP APIs to get the quarantine file,

    https://apidocs.symantec.com/home/saep#_quarantine_a_file_or_remove_quarantine_status

    2.9.1. /api/v1/command-queue/quarantine

    Sends a command from Symantec Endpoint Protection Manager to quarantine a file or remove quarantine status from Symantec Endpoint Protection endpoints.

    URL

    https://SEPM_IP:8446/sepm/api/v1/command-queue/quarantine



  • 8.  RE: Remotely retrieving quarantined files from client

    Broadcom Employee
    Posted Mar 14, 2018 11:12 AM

    I would suggest an Enhancement Request for this.