Symantec Endpoint Protection (SEP) identifies a file as malicious and quarantines the file, however, the administrator determines that this is a False Positive detection and submits the file to Symantec Security Response for review. After review, Symantec issues new definitions that no longer make that detection. Upon receipt of the new definitions, SEP accomplishes a scan of the quarantine.
Even though the Quarantine options are set to repair, the file remains in quarantine and is not restored to its original location.
Symantec Endpoint Protection has the functionality to repair and restore files from quarantine only if they are infected, and that the repair of the file is actually possible.
In the case of a False Positive (FP), there is nothing to repair, so the file remains in quarantine.
Files can be restored from Quarantine manually via the product GUI or using the QExtract tool.
File Restoration from the SEP client GUI:
File Restoration using QExtract :
Symantec has an unsupported tool called QExtract, located under Tools\NoSupport folder of the installation CD.
Please carefully review the QuarantineExtract.html file that comes with the tool on how to use it. This utility can be used to restore files from multiple systems.
The tool must be run from the "bin" directory (C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\<version>\Bin)
File Restoration using SEPM and manually excluding the file via an "Allow Application" exception:
File Restoration using SEP and the automatic repair and restore files in Quarantine functionality:
Note: If the detection is not a Security Risk which default Auto-Protect first action is Quarantine risk. It may be necessary to change the Auto-Protect first action for Malware or Virus to Quarantine risk instead of Clean Risk which is default. The Auto-Protect actions are configurable in the Virus and Spyware Protection policy Auto-Protect section under the Actions tab.