search cancel

Submit quarantined files from a Endpoint Protection for Linux client

book

Article ID: 163708

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

The SEP for Linux client has quarantined files that are believed to be a False Positive.  These files need to be submitted to the False Positive portal for analysis.

Environment

  • SEP for Linux version 12.1 RU5  - 14.3 MP1

Resolution

To submit quarantined files, the identity of the files in the Quarantine directory must be confirmed.

To confirm the file ID:

  1. Open a terminal session.
  2. Navigate to /opt/Symantec/symantec_antivirus.
  3. Run the following command:
  4.  ./sav quarantine -l
  5. This will list all the files that have been Quarantined.  Note the ID associated with file to be submitted.


To locate the file in the Quarantine directory:

  1. Navigate to /var/symantec/Quarantine/ (SEP 12.1.x) or /var/symantec/sep/Quarantine/ (SEP version up to 14.3 MP1).
  2. The quarantined file will be named with the ID noted in the previous steps with a file extension of .vbn.


The .vbn file is an encrypted file that can be submitted to Symantec's False Positive portal for analysis.

False Positive Submission Portal:
https://symsubmit.symantec.com

Additional Information

Currently submitting QUR file in /var/log/sdcsslog/quarantine/ (SEP version 14.3 RU1 and newer) is not supported