Managing the quarantine for Windows clients

You manage quarantine settings as an important part of your virus outbreak strategy.
When virus and spyware scans or SONAR detects a threat,
Symantec Endpoint Protection
places the suspicious files in the infected computer's local quarantine. The client either repairs the file, repairs and restores it, or deletes it.
When the client detects a risk and quarantines the file, the client notifies the management server. You can enable the management server to automatically request and retrieve the quarantined file. The management server uploads and stores risk samples in the database, displays their event details, and lets you download them for further analysis. You may want to submit the file to your internal malware or security team for reverse engineering, or to another sandbox for analysis. If you think the conviction is a false positive, contact Symantec Support to log a case.
Version 14 and later does not include the Central Quarantine Server.
As of 14.3 RU2, you can no longer use the Central Quarantine Server. Instead, the client submits quarantined files to the Symantec Endpoint Protection Manager.
Uploading quarantined files to the management server
The management server does not retrieve quarantined files from the client by default. You must enable this setting.
To upload quarantined files
  1. In the console, click 
    Admin
    >
    Domains
    >
    Edit Domain Properties
    .
  2. On the
    General
    tab, click
    Upload quarantined files from the clients
    , and then click
    OK
    .
To download files that the client quarantined and uploaded to the management server
  1. In the console, click
    Monitors
    >
    Logs
    > and select the
    Risk
    log type.
  2. Open the log, select the quarantined file, and in the
    Action
    drop-down list, click
    Download file that the client quarantined
    .
Configuring the quarantine settings
You can modify the following options for how the quarantine treats files on the client:
  • What happens when new definitions arrive on clients:
    By default, the client rescans items in the quarantine and automatically repairs and restores items silently when new definitions arrive. If you created an exception for a file or application in the quarantine,
    Symantec Endpoint Protection
    restores the file after new definitions arrive.
  • Where quarantined items are stored:
    By default, the quarantine stores backup, repaired, and quarantined files in a default folder. The quarantine clean-up feature automatically deletes the files in the quarantine when the files exceed a specified age or when the directory where they are stored reaches a certain size. It automatically deletes files after 30 days.
    If you do not want to use the default quarantine directory (
    %ProgramData%\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Quarantine
    ) to store quarantined files on client computers, you can specify a different local directory. You can use path expansion by using the percent sign when you type the path. For example, you can type
    %COMMON_APPDATA%
    . Relative paths are not allowed.
To configure the quarantine settings
  1. In the Virus and Spyware Protection policy, click
    Windows Settings
    >
    Quarantine
    .
  2. On the
    General
    tab, configure the options under
    When New Virus Definitions Arrive
    and
    Local Quarantine Options
    .
    Specify how to handle quarantined items and which local folder to store quarantined files. See:
  3. Click
    OK
    .
Deleting files in the quarantine
The quarantine automatically deletes repaired files, backup files, and quarantined files after a specified number of days. You can configure the quarantine to delete files when the folder where the files are stored reaches a specified size or after a certain number of days.
You should periodically check the client computer's quarantine to prevent accumulating a large numbers of files. Check the quarantined files when a new virus outbreak appears on the network.
Leave files with unknown infections in the quarantine. When the client receives new definitions, it rescans the items in the quarantine and might delete or repair the file.
You can delete a quarantined file if a backup exists or if you have a copy of the file from a trustworthy source. You can delete a quarantined file directly on the infected computer, or by using the Risk log in the
Symantec Endpoint Protection
console.
If
Symantec Endpoint Protection
detects risks in a compressed file, the compressed file is quarantined as a whole. However, the Risk log contains a separate entry for each file in the compressed file. To successfully delete all risks in a compressed file, you must select all the files in the compressed file.
To configure the client to delete files automatically
  1. In the Virus and Spyware Protection policy, click
    Windows Settings
    >
    Quarantine
    .
  2. On the
    Cleanup
    tab, check or uncheck the options to enable or disable them, and configure the time interval and size maximums. See:
  3. Click
    OK
    .
To delete files from the Risk log
  1. In the console, click
    Monitors
    .
  2. On the
    Logs
    tab, from the
    Log type
    list box, select the
    Risk
    log, and then click
    View Log
    .
  3. Do one of the following actions:
    • Select an entry in the log that has a file that has been quarantined.
    • Select all entries for files in the compressed file.
      You must have all entries in the compressed file in the log view. You can use the
      Limit
      option under
      Additional Settings
      to increase the number of entries in the view.
  4. From the
    Action
    list box, select:
    Delete from Quarantine
    .
  5. Click
    Start
    .
  6. In the dialog box that appears, click
    Delete
    , and then
    OK
    .