Symantec Endpoint Protection (SEP) identifies a file as malicious and quarantines the file, however, the administrator determines that this is a False Positive detection and submits the file to Symantec Security Response for review. After review, Symantec issues new definitions that no longer make that detection. Upon receipt of the new definitions, SEP accomplishes a scan of the quarantine.
Even though the Quarantine options are set to repair, the file remains in quarantine and is not restored to its original location.
Symantec Endpoint Protection has the functionality to repair and restore files from quarantine only if they are infected, and that the repair of the file is actually possible.
In the case of a False Positive (FP), there is nothing to repair, so the file remains in quarantine.
Files can be restored from Quarantine manually via the product GUI or using the QExtract tool.
File Restoration from the SEP client GUI (SEP 12.1 and 14.x):
File Restoration using QExtract (SEP 11 only):
Symantec has an unsupported tool called QExtract, located under Tools\NoSupport folder of the installation CD.
Please carefully review the QuarantineExtract.html file that comes with the tool on how to use it.
This utility can be used to restore files from multiple systems.
File Restoration using SEPQuarantineTool.exe (SEP 12.1 only):
Symantec has an unsupported tool called SEPQuarantineTool. This tool is attached to this knowledgebase article. Download the attached ZIP file and extract it before use.
Note: The password to the ZIP file is: symantec
To view instructions for using the utility, open the Command Prompt, navigate to the directory of SEPQuarantineTool.exe using the command cd (e.g., cd Desktop), and run the tool with the /? switch. Example: SEPQuarantineTool.exe /?
File Restoration using SEPM (SEP 12.1 RU3 and later only) and manually excluding the file via an "Allow Application" exception:
File Restoration using SEP (SEP 12.1 RU3 and later only) and the automatic repair and restore files in Quarantine functionality:
Note: If the detection is not a Security Risk which default Auto-Protect first action is Quarantine risk. It may be necessary to change the Auto-Protect first action for Malware or Virus to Quarantine risk instead of Clean Risk which is default. The Auto-Protect actions are configurable in the Virus and Spyware Protection policy Auto-Protect section under the Actions tab.