In 14.3 RU2 a new feature, (Download file that the client quarantined), was added to allow the Symantec Endpoint Protection Manager (SEPM) to download quarantined files from Symantec Endpoint Protection (SEP) clients.
The SEPM stores the files in a way that they will not automatically be quarantined again when an Admin downloads them from the SEPM.

In some circumstances an administrator may need to retrieve the exact file.

This document provides steps to retrieve the file as it was before being quarantined.

14.3 RU2 SEPM and later.

While downloading the file, the name of the downloaded file will be the hash of the originally-quarantined files (before the SEP client transformed it with an XOR operation), but the contents of the file will preserve the XOR operation. There is no possibility to download malicious file directly, it will be always XOR 0x80 encrypted file.

File should be moved to the testing environment to the responsible Security Team, and after putting it in the desired condition, Security Team should use any script / 3rd party tool to decrypt file from XOR 0x80 back to the original state.

Below is a sample python script which demonstrates how to get the original file back using the quarantined file downloaded from the SEPM.

Note: These scripts are meant for guidance purposes only and are not supported by Broadcom.

import os
 
with open('download_file', 'rb') as f:
    with open('xored_download_file', 'wb') as f1:
        f1.write(bytes([x for x in map(lambda x: x^ 0x80, f.read())]))

PowerShell version of the script for environments in which Python can't be used:

$bytes = [System.IO.File]::ReadAllBytes("download_file")

for ($i = 0; $i -lt $bytes.Length; $i++) {

    $bytes[$i] = $bytes[$i] -bxor 0x80

}

[System.IO.File]::WriteAllBytes("xored_download_file", $bytes)