I need a solution
We are just starting to implement SEP 14. I'm looking for a best practice procedure for getting quarantined files off clients to transfer to a VM/Lab environment for analysis. From what I've read and seen so far, SEP14 writes the files in an encrypted format in a directory on the local client. The client interface has a way for the file to be restored. The SEPM console does not appear to allow this same functionality. So the incident responder either needs to go to the machine itself to restore the file and move to another machine, or connect to the c$ share remotely and copy the file off and then use another tool to decrypt it for analysis. Any advice on the best way to do this would be appreciated. Thanks.
0