Symantec Endpoint Protection: Central Quarantine explained.

book

Article ID: 177916

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

How does Central Quarantine work?

Resolution

Central Quarantine uses the Digital Immune System to manage the entire antivirus process. The Digital Immune System eliminates many of the manual tasks that are involved in the submission processes and analysis processes. Automation reduces the time between when a virus is first found and when a repair is deployed with LiveUpdate.

The Digital Immune System does the following:
  1. Identifies and quarantines: Rapidly identifies new threats by using powerful heuristic and behavioral detection. Suspicious items are isolated in the Central Quarantine and samples are automatically submitted to Symantec Security Response for analysis.
  2. Analyzes: Submits the files to Symantec Security Response for analysis, repair, and testing.



Identifying and quarantining viruses

The first goal of the Digital Immune System is to detect new or unknown threats at the desktop, server, and gateway. Symantec uses Bloodhound heuristics technology, which is designed to detect a majority of new or unknown viral strains. You can configure clients to automatically send suspect files and their side effects to a local Quarantine. A local Quarantine may be located on the desktop, server, or gateway. The local Quarantine packages suspicious files with information about the submitting computer, then forwards the files to the corporate Central Quarantine for further analysis.

Since the Central Quarantine may have more up-to-date virus definitions than the submitting computer, it scans files by using its own set of virus definitions. If the Central Quarantine cannot fix a file, it strips the file of potentially sensitive data if configured to do so, and then encrypts it. The Digital Immune System then transmits the file over the Internet to a Symantec gateway for further analysis.

Administrators can configure the Digital Immune System to automatically do the following:
  1. Detect and quarantine new and unknown viruses.
  2. Filter and forward encrypted samples to Symantec Security Response for analysis. The Digital Immune System can strip out sensitive content.
  3. Check for new virus definitions and status updates.


Analyzing viruses

The Quarantine Agent handles the communication between the Central Quarantine and the Symantec gateway. If the Central Quarantine cannot repair an infected file, the Quarantine Agent forwards it to the gateway. The Quarantine Agent then queries the gateway to see if the repair is ready.

If the repair is ready, the Quarantine Agent downloads the new virus definitions set and installs the new definitions on the Central Quarantine. If the repair is not ready, the Quarantine Agent polls the gateway every 60 minutes for a repair.

When the Digital Immune System receives a new submission, it does the following:
  1. Adds the submission to a tracking database.
  2. Filters the submission to eliminate clean files, false positives, known viruses, and expanded threats. Filtering is quick, and because most submissions are resolved by filtering, the response time for filtered items is fast.
  3. Analyzes the virus and side effects, generates a repair, and then tests the repair. In most cases, analysis and repair are automatically generated, but some viruses may require the intervention of Symantec Security Response researchers.
  4. Builds a new virus definitions set, which includes the new fingerprint, and returns the new definitions to the gateway.