There is/was a product known as Protection Engine Quarantine Server that is discontinued. In the face of SPEQS being discontinued it has been asked how it is possible to configure a SPE server to quarantine suspect or infected files to a local volume/drive path.

Release : 8.2.1, 8.2.2

Discontinued product SPEQS

The following is a simple configuration that can be adapted to specific needs:

If you are using the console, the scan action must be set to "Repair or delete" for quarantine to be enabled.

WINDOWS CONFIGURATION

• Create a folder structure on the server to which quarantined files will be sent. Example:  C:\SPE\Quarantine
• Open an administrative command prompt and change the pointer to the "Scan Engine" folder CD "C:\Program Files\Symantec\Scan Engine"
• Run the following commands to edit the policy and configuration XML files to the required values.

 
xmlmodifier -s //policies/ThreatPolicies/Actions/AVActionPolicy/@value 3 policy.xml         { This sets the scan action to "Scan and Delete" }

xmlmodifier -s //policies/ThreatPolicies/Actions/Quarantine/@value true policy.xml             { Sets the policy to allow Quarantine actions}

xmlmodifier -s //configuration/QuarantineServerSettings/@enabled true configuration.xml    { Works in conjunction with the previous command to enable quarantine }

xmlmodifier -s //configuration/QuarantineServerSettings/QuarantineType/@value ondisk configuration.xml     { Sets the configuration to point to a local disk to which quarantined files will be sent }

xmlmodifier -s //QuarantineServerSettings/CloudStore/@location "C:\SPE\Quarantine" configuration.xml      { Configures the location and destination of quarantined files for SPE servers in the cloud }

xmlmodifier -s //QuarantineServerSettings/CloudStore/@relativepath "C:\SPE\Quarantine" configuration.xml    { Cloud servers require a relative path to which quarantined files are to be sent. For local  quarantine it will be the same as the previous command}

• Restart the scan engine service:   net stop symcscan && net start symcscan
• Test the results by using ssecls against an eicar text file or something like it.

LINUX CONFIGURATION

• Create a folder structure on the server to which quarantined files will be sent. Example:     /opt/SPE/Quarantine
• From a bash prompt change into "/opt/SYMCScan/bin"
• Run the following commands to edit the policy and configuration XML files to the required values: 

./xmlmodifier -s //policies/ThreatPolicies/Actions/AVActionPolicy/@value 3 policy.xml         { This sets the scan action to "Scan and Delete" }

./xmlmodifier -s //policies/ThreatPolicies/Actions/Quarantine/@value true policy.xml             { Sets the policy to allow Quarantine actions}

./xmlmodifier -s //configuration/QuarantineServerSettings/@enabled true configuration.xml    { Works in conjunction with the previous command to enable quarantine }

./xmlmodifier -s //configuration/QuarantineServerSettings/QuarantineType/@value ondisk configuration.xml     { Sets the configuration to point to a local disk to which quarantined files will be sent }

./xmlmodifier -s //QuarantineServerSettings/CloudStore/@location "/opt/SPE/Quarantine/" configuration.xml      { Configures the location and destination of quarantined files for SPE servers in the cloud }

./xmlmodifier -s //QuarantineServerSettings/CloudStore/@relativepath "/opt/SPE/Quarantine/" configuration.xml    { Cloud servers require a relative path to which quarantined files are to be sent. For local  quarantine it will be the same as the previous command}

• Restart the scan engine service:   /etc/init.d/symcscan restart
• Test the results by using ssecls against an eicar text file or something like it.