Remediating risks on the computers in your network
|Article:HOWTO80936|||||Created: 2012-10-24|||||Updated: 2014-09-21|||||Article URL http://www.symantec.com/docs/HOWTO80936|
You use the Reports and Monitors features in the console to determine what computers are infected and to view the results of remediation.
Table: Remediating risks on client computers
Identify infected and at-risk computers
You can get information about infected and at-risk computers from Symantec Endpoint Protection Manager. On the Home page, check the Newly Infected and the Still Infected counts in the Virus and Risks Activity Summary. The Newly Infected count is a subset of the Still Infected count. The Newly Infected count shows the number of infected and at-risk computers during the time interval that you specify in the summary.
Computers are considered still infected if a subsequent scan detects them as infected. For example, a scheduled scan might partially clean a file. Auto-Protect subsequently detects the file as a risk.
Files that are considered "still infected" are rescanned when new definitions arrive or as soon as the client computer is idle.
Update definitions and rescan
You should make sure that clients use the latest definitions.
For the clients that run on Windows computers, you should also make sure that your scheduled and on-demand scans use the Insight Lookup feature.
You can check the definitions date in the Infected and At Risk Computers report. You can run the Update Content and Scan command from the Risk log.
When the Virus and Risks Activity Summary on the Home page shows the Still Infected and the Newly Infected counts are zero, then all risks are eliminated.
Check scan actions and rescan
Scans might be configured to leave the risk alone. You might want to edit the Virus and Spyware Protection policy and change the action for the risk category. The next time the scan runs, Symantec Endpoint Protection applies the new action.
You set the action on the Actions tab for the particular scan type (administrator-defined or on-demand scan, or Auto-Protect). You can also change the detection action for Download Insight and SONAR.
Restart computers if necessary to complete remediation
Computers may still be at risk or infected because they need to be restarted to finish the remediation of a virus or security risk.
You can view the Risk log to determine if any computers require a restart.
You can run a command from the logs to restart computers.
Investigate and clean remaining risks
If any risks remain, you should investigate them further.
On the client computer, you can also access the Security Response website from the scan results dialog box.
You can also run Power Eraser from Symantec Endpoint Protection Manager to analyze and remediate difficult, persistent threats. Power Eraser is an aggressive analysis that you should run on one computer or a small number of computers only when the computers are unstable or heavily infected.
Symantec Technical Support also offers a Threat Expert tool that quickly provides detailed analysis of threats. You can also run a load point analysis tool that can help you troubleshoot problems. You run these tools directly on the client computer.
Check the Computer Status log
View the Computer Status log to make sure that risks are remediated or removed from client computers.
See Viewing logs.
For more information about handling viruses and outbreaks on a network, see the knowledge base article, Best practices for troubleshooting viruses on a network.
Article URL http://www.symantec.com/docs/HOWTO80936