To gather files to submit
- Navigate to the Quarantine folder. The path will be different with different version and operating systems. Here are some examples:
SEP:
Windows XP:
<OS drive>\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine
Windows 7 and above:
<OS drive>\ProgramData\Symantec\Symantec Endpoint Protection\12.1.xxx.xxxx.xxx\Data\Quarantine
or
<OS drive>\ProgramData\Symantec\Symantec Endpoint Protection\14.x.xxxx.xxxx.xxx\Data\Quarantine
- The .VBN files at the root of the quarantine folder, are logs and do not contain the quarantined item. However, for each .VBN file in the Quarantine folder there should be another folder with the same name as the .VBN file. You will need to navigate to this folder
Example: If there is a file named ABCD1234.VBN in the Quarantine folder, there should also be a folder named ABCD1234 in the Quarantine folder. This folder contains a different ABCD1234.VBN file, that actually contains the sample. If in doubt when comparing .VBN files with the same name, always send the larger file.
- In this folder are the .VBN files that need to be submitted. Copy the desired .VBN file to the desktop for easy access. Do not zip or rar .VBN files that are to be submitted.
- Open a web browser and visit the appropriate URL as provided by support.
Upload the file(s) as directed by the web page.
Note:
There may be multiple .VBN files located in the Quarantine file.
These files are encrypted but if they are opened in a text editor (such as notepad.exe) the orginal file name can be read at the top.
If there are multiple .VBN files present and you are unsure of which file(s) to submit, we recommend that you open the SEP interface, access Quarantine and remove everything except for the file(s) you want to submit. Do not zip or rar .VBN files that are to be submitted. Instead create a new submission for each .VBN file.
These files are encrypted by Symantec in such a way that we can decrypt them for inspection. While they do potentially contain an infection, due to the proprietary encryption used, there is no danger of infection from these specific files while moving them.
Applies To
Note: This document only covers submitting files from SEP clients, not from a legacy standalone Central Quarantine Server (CQS) which is now past its End of Life.