Remediating risks on the computers in your network

Article:HOWTO80936  |  Created: 2012-10-24  |  Updated: 2014-09-21  |  Article URL
Article Type
How To


Remediating risks on the computers in your network

You remediate risks as part of handling virus and spyware attacks on your computers.

You use the Reports and Monitors features in the console to determine what computers are infected and to view the results of remediation.

Table: Remediating risks on client computers




Step 1

Identify infected and at-risk computers

You can get information about infected and at-risk computers from Symantec Endpoint Protection Manager. On the Home page, check the Newly Infected and the Still Infected counts in the Virus and Risks Activity Summary. The Newly Infected count is a subset of the Still Infected count. The Newly Infected count shows the number of infected and at-risk computers during the time interval that you specify in the summary.


Unremediated SONAR detections are not counted as Still Infected. They are part of the Suspicious count in the summary.

Computers are considered still infected if a subsequent scan detects them as infected. For example, a scheduled scan might partially clean a file. Auto-Protect subsequently detects the file as a risk.

Files that are considered "still infected" are rescanned when new definitions arrive or as soon as the client computer is idle.

See Identifying the infected and at-risk computers

Step 2

Update definitions and rescan

You should make sure that clients use the latest definitions.

For the clients that run on Windows computers, you should also make sure that your scheduled and on-demand scans use the Insight Lookup feature.

You can check the definitions date in the Infected and At Risk Computers report. You can run the Update Content and Scan command from the Risk log.

When the Virus and Risks Activity Summary on the Home page shows the Still Infected and the Newly Infected counts are zero, then all risks are eliminated.

See Managing content updates.

Step 3

Check scan actions and rescan

Scans might be configured to leave the risk alone. You might want to edit the Virus and Spyware Protection policy and change the action for the risk category. The next time the scan runs, Symantec Endpoint Protection applies the new action.

You set the action on the Actions tab for the particular scan type (administrator-defined or on-demand scan, or Auto-Protect). You can also change the detection action for Download Insight and SONAR.

See Checking the scan action and rescanning the identified computers.

Step 4

Restart computers if necessary to complete remediation

Computers may still be at risk or infected because they need to be restarted to finish the remediation of a virus or security risk.

You can view the Risk log to determine if any computers require a restart.

You can run a command from the logs to restart computers.

See Running commands from the computer status log.

Step 5

Investigate and clean remaining risks

If any risks remain, you should investigate them further.

You can check the Symantec Security Response webpage for up-to-date information about viruses and security risks.

On the client computer, you can also access the Security Response website from the scan results dialog box.

You can also run Power Eraser from Symantec Endpoint Protection Manager to analyze and remediate difficult, persistent threats. Power Eraser is an aggressive analysis that you should run on one computer or a small number of computers only when the computers are unstable or heavily infected.

See What you should know before you run Power Eraser from the Symantec Endpoint Protection Manager console.

Symantec Technical Support also offers a Threat Expert tool that quickly provides detailed analysis of threats. You can also run a load point analysis tool that can help you troubleshoot problems. You run these tools directly on the client computer.

See Troubleshooting computer issues with the Symantec Help support tool

Step 6

Check the Computer Status log

View the Computer Status log to make sure that risks are remediated or removed from client computers.

See Viewing logs.

For more information about handling viruses and outbreaks on a network, see the knowledge base article, Best practices for troubleshooting viruses on a network.

See Preventing and handling virus and spyware attacks on client computers

See Monitoring endpoint protection.

Legacy ID


Article URL

Terms of use for this information are found in Legal Notices