ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How to submit suspicious files via the online submission form that have been quarantined by Symantec Endpoint Protection

book

Article ID: 178064

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You have files that have been quarantined by Symantec Endpoint Protection (SEP) on a local computer, and have been directed to manually submit them via the online submission form rather than from within the product interface.  

 

Note that for suspected missed malware, it is usually not necessary to submit files that are already detected and quarantined by Symantec products.  Please see the Connect article Symantec Insider Tip: Successful Submissions! for additional recommendations on what to submit and what not to submit. For suspected False Positives, see Submit false positives detected by Endpoint Protection.
 

Resolution

To gather files to submit

  1. Navigate to the Quarantine folder:
    SEP:

    <OS drive>\ProgramData\Symantec\Symantec Endpoint Protection\14.x.xxxx.xxxx.xxx\Data\Quarantine
     
  2. The .VBN files at the root of the quarantine folder, are logs and do not contain the quarantined item. However, for each .VBN file in the Quarantine folder there should be another folder with the same name as the .VBN file. You will need to navigate to this folder

    Example: If there is a file named ABCD1234.VBN in the Quarantine folder, there should also be a folder named ABCD1234 in the Quarantine folder. This folder contains a different ABCD1234.VBN file, that actually contains the sample. If in doubt when comparing .VBN  files with the same name, always send the larger file.
     
  3. In this folder are the .VBN files that need to be submitted. Copy the desired .VBN file to the desktop for easy access. Do not zip or rar .VBN files that are to be submitted.
     
  4. Open a web browser and visit the appropriate URL as provided by support.
    Upload the file(s) as directed by the web page.

    Note:
    There may be multiple .VBN files located in the Quarantine file.
    These files are encrypted but if they are opened in a text editor (such as notepad.exe) the orginal file name can be read at the top.

    If there are multiple .VBN files present and you are unsure of which file(s) to submit, we recommend that you open the SEP interface, access Quarantine and remove everything except for the file(s) you want to submit. Do not zip or rar .VBN files that are to be submitted. Instead create a new submission for each .VBN file.

    These files are encrypted by Symantec in such a way that we can decrypt them for inspection. While they do potentially contain an infection, due to the proprietary encryption used, there is no danger of infection from these specific files while moving them.