How to manage quarantined items in the Quarantine Folder?
Managing quarantined files includes the following:
About Quarantine settings:
You use the Virus and Spyware Protection policy to configure client Quarantine settings.
You manage Quarantine settings as an important part of your virus outbreak strategy.
Specifying a local Quarantine directory:
If you do not want to use the default quarantine directory (C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Quarantine) to store quarantined files on client computers, you can specify a different local directory. You can use path expansion by using the percent sign when you type the path. For example, you can type %COMMON_APPDATA%. Relative paths are not allowed.
The software supports the following expansion parameters:
%COMMON_APPDATA% - This path is typically C:\Documents and Settings\All Users\Application Data
%PROGRAM_FILES% - This path is typically C:\Program Files
%PROGRAM_FILES_COMMON% - This path is typically C:\Program Files\Common
%COMMON_PROGRAMS% - This path is typically C:\Documents and Settings\All Users\Start Menu\Programs
%COMMON_STARTUP% - This path is typically C:\Documents and Settings\All Users\Start Menu\Programs\Startup
%COMMON_DESKTOPDIRECTORY% - This path is typically C:\Documents and Settings\All Users\Desktop
%COMMON_DOCUMENT% - This path is typically C:\Documents and Settings\All Users\Documents
%SYSTEM% - This path is typically C:\Windows\System32
%WINDOWS% - This path is typically C:\Windows
To specify a local quarantine directory:
Configuring automatic clean-up options:
When the client software scans a suspicious file, it places the file in the local Quarantine folder on the infected computer. The Quarantine clean-up feature automatically deletes the files in the Quarantine when they exceed a specified age. The Quarantine clean-up feature automatically deletes the files in the Quarantine when the directory where they are stored reaches a certain size.
You can configure these options using the Virus and Spyware Protection Policy. You can individually configure the number of days to keep repaired, backup, and quarantined files. You can also set the maximum directory size that is allowed before files are automatically removed from the client computer.
You can use one of the settings, or you can use both together. If you set both types of limits, then all files older than the time you have set are purged first. If the size of the directory still exceeds the size limit that you set, then the oldest files are deleted one by one. The files are deleted until the directory size falls below the limit. By default, these options are not enabled.
To configure automatic clean-up options:
Submitting quarantined items to a central Quarantine Server:
**Note: As of 14.3 RU2, you can no longer use the Central Quarantine Server. Instead, the client submits quarantined files to the SEPM**
You can enable items in Quarantine to be forwarded from the local Quarantine to a Central Quarantine Server. You should configure the client to forward items if you use a Central Quarantine Server in your security network. The Central Quarantine Server can forward the information to Symantec Security Response. Information that clients submit helps Symantec determine if a detected threat is real.
Note: Only the quarantined items that are detected by antivirus and antispyware scans may be sent to a Central Quarantine Server. Quarantined items that are detected by proactive threat scans cannot be sent.
To enable submission of quarantined items to a Quarantine Server:
Submitting quarantined items to Symantec:
You can enable the client software to allow users to submit infected or suspicious files and related side effects to Symantec Security Response for further analysis. When users submit information, Symantec can refine its detection and repair. Files that are submitted to Symantec Security Response become the property of Symantec Corporation. In some cases, files may be shared with the antivirus.
community. If Symantec shares files, Symantec uses industry-standard encryption and may make data anonymous to help protect the integrity of the content and your privacy. In some cases, Symantec might reject a file. For example, Symantec might reject a file because the file does not seem to be infected. You can enable the resubmission of files if you want users to be able to resubmit selected files. Users can resubmit files once per day.
To enable submission of quarantined items to Symantec
Configuring actions to take when new definitions arrive:
You can configure the actions that you want to take when new definitions arrive on client computers. By default, the client rescans items in the Quarantine and automatically repairs and restores items silently. Typically, you should always use this setting.
To configure actions for new definitions
Note: This functionality is limited to only detections that have been whitelisted via definitions. Exceptions or Reputation do not provide this functionality.
References
Managing the quarantine for Windows clients
Administration Guide for MR3 - Page 398 - 402