How to submit suspicious files via the online submission form that have been quarantined by Symantec Endpoint Protection

book

Article ID: 178064

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You have files that have been quarantined by Symantec Endpoint Protection (SEP) on a local computer, and have been directed to manually submit them via the online submission form rather than from within the product interface.  

 

Note that for suspected missed malware, it is usually not necessary to submit files that are already detected and quarantined by Symantec products.  Please see the Connect article Symantec Insider Tip: Successful Submissions! for additional recommendations on what to submit and what not to submit. For suspected False Positives, see Submit false positives detected by Endpoint Protection.
 

Resolution

To gather files to submit

  1. Navigate to the Quarantine folder.  The path will be different with different version and operating systems.  Here are some examples:

    SEP:
    Windows XP:
    <OS drive>\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine

    Windows 7 and above:
    <OS drive>\ProgramData\Symantec\Symantec Endpoint Protection\12.1.xxx.xxxx.xxx\Data\Quarantine
    or
    <OS drive>\ProgramData\Symantec\Symantec Endpoint Protection\14.x.xxxx.xxxx.xxx\Data\Quarantine
     
  2. The .VBN files at the root of the quarantine folder, are logs and do not contain the quarantined item. However, for each .VBN file in the Quarantine folder there should be another folder with the same name as the .VBN file. You will need to navigate to this folder

    Example: If there is a file named ABCD1234.VBN in the Quarantine folder, there should also be a folder named ABCD1234 in the Quarantine folder. This folder contains a different ABCD1234.VBN file, that actually contains the sample. If in doubt when comparing .VBN  files with the same name, always send the larger file.
     
  3. In this folder are the .VBN files that need to be submitted. Copy the desired .VBN file to the desktop for easy access. Do not zip or rar .VBN files that are to be submitted.
     
  4. Open a web browser and visit the appropriate URL as provided by support.
    Upload the file(s) as directed by the web page.

    Note:
    There may be multiple .VBN files located in the Quarantine file.
    These files are encrypted but if they are opened in a text editor (such as notepad.exe) the orginal file name can be read at the top.

    If there are multiple .VBN files present and you are unsure of which file(s) to submit, we recommend that you open the SEP interface, access Quarantine and remove everything except for the file(s) you want to submit. Do not zip or rar .VBN files that are to be submitted. Instead create a new submission for each .VBN file.

    These files are encrypted by Symantec in such a way that we can decrypt them for inspection. While they do potentially contain an infection, due to the proprietary encryption used, there is no danger of infection from these specific files while moving them.

 

Applies To

 

Note: This document only covers submitting files from SEP clients, not from a legacy standalone Central Quarantine Server (CQS) which is now past its End of Life.