Best Practices for using Quarantine Server in a Symantec Endpoint Protection environment

book

Article ID: 177857

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

What is the expected functionality of a Central Quarantine Server in a Symantec Endpoint Protection (SEP) environment?

Symptoms
While Quarantine Server can function in a SEP environment, it is unable to install the downloaded Rapid Release packages directly to SEP clients.


 

Cause

Quarantine Server has full functionality in a Symantec AntiVirus (SAV) environment. In a SEP environment, while being able to communicate with SEP clients to receive suspected threat samples, Quarantine Server does NOT have the ability to install definitions on SEP clients like the Symantec Endpoint Protection Manager (SEPM) can.

Resolution

As part of the End of Support Life of Endpoint Protection 12.x, the Quarantine Server utility has been deprecated. See TECH255506

The use of Quarantine Server in a SEP environment is limited to the following:
1. Receiving suspected threat samples from SEP clients
2. Downloading Rapid Release definitions, specific to the suspected threats that have been submitted, ONLY to Quarantine Server

If an administrator would like to apply a Rapid Release definition that has been automatically downloaded to the Quarantine Server, for a specific threat to a client, they have to check the details of the sample submitted to obtain the Rapid Release number (Quarantine Server user interface) and then find the corresponding Rapid Release definition set in the Quarantine\Signatures directory of definitions.

It is not recommended that Quarantine Server be used in smaller SEP environments of less than 10,000 clients.

Note: When the maximum number of samples have been received by Quarantine Server, no new samples will be accepted until a Rapid Release definition set has been downloaded to remediate any given suspected sample. Because Quarantine Server cannot actually install Rapid Release definitions on SEP clients, the administrator will have to manually purge the list of samples to receive the latest suspected threats in their environment, This may have to be performed on a daily basis in large environments.