What to do when Symantec AntiVirus Corporate Edition or Norton AntiVirus Corporate Edition detects a virus

Article:TECH100218  |  Created: 2003-01-03  |  Updated: 2005-01-01  |  Article URL http://www.symantec.com/docs/TECH100218
Article Type
Technical Solution


Environment

Issue



You want to know how to respond when Symantec AntiVirus Corporate Edition or Norton AntiVirus Corporate Edition detects a virus.


Solution



How you respond depends on the type of virus found, the action taken by the antivirus software, and the type of scan that detected the virus. You can verify this information in the Virus History or Threat History, depending on the program version.

To view the Virus History or Threat History on a client computer
  1. Start Symantec AntiVirus or Norton AntiVirus.
  2. Click Histories, and then click Virus History or Threat History.
  3. Click the entry that you want to examine.
  4. Use the horizontal scroll bar to view the Virus Name, Action Taken, and Scan Type columns.

To view the Virus History or Threat History from the Symantec System Center Console
  1. Start the Symantec System Center, and unlock the server group.
  2. Right-click the server group to view information for all machines in the server group, or right-click a client to view information for that client.
    You can only view information from a specific client if that computer is currently communicating with the Symantec System Center.
  3. Click All Tasks > Symantec AntiVirus > Logs, and then click Virus History or Threat History.
  4. In the Virus History or Threat History window, use the horizontal scroll bar to view the Virus Name, Action Taken, and Scan Type columns.


    Note: It may be helpful to resize the window for easier viewing.

Examine the Action Taken
  • If the Action Taken is Repaired, Quarantined, or Deleted, the virus has been successfully eliminated from your system. Examine the Scan Type to determine whether follow-up action is needed.
  • If the Action Taken is Left Alone, and the infected file is not in Quarantine, then the computer is probably already infected and the virus is loading into memory when Windows starts. To resolve this, restart the computer in Safe mode and run a full system scan. If you are using Windows NT, perform a clean boot, and run a full system scan. Read the appropriate document for instructions:

    How to start the computer in Safe mode
    How to perform a clean boot of Windows NT
  • If the Action Taken is Left Alone and the infected file is in Quarantine, then the file was already in Quarantine and was rescanned when new virus definitions arrived. If you are using Symantec AV 8.0, you can verify whether the file is currently in Quarantine by examining the Current Location column. Norton AntiVirus Corporate Edition 7.x will incorrectly report the location of a quarantined file as identical to its Original Location.

To prevent recurring detections on quarantined files in the future
  1. Start the Symantec System Center.
  2. Unlock the server group.
  3. Right-click the server group, and then click All Tasks > Norton AntiVirus or Symantec AntiVirus > Quarantine Options.
  4. Under "When new virus definitions arrive," check Do Nothing.

For more information about recurring Left Alone events, read Symantec AntiVirus Corporate Edition reports that an infected file was "Left Alone."

Examine the Scan Type
  • If the Scan Type is Realtime Scan, in most cases, this means that the virus was caught as it tried to enter the computer.
  • If the Scan Type is Manual Scan, this means that one of three scenarios applies:
    • The virus was caught during a scheduled or user-initiated scan of the drive.
    • The virus was rescanned in Quarantine when new virus definitions were downloaded.
    • The virus was an email attachment that was scanned by the Exchange or Notes plug-in.
  • If the Scan Type is Defwatch Scan, this means that the virus was rescanned in Quarantine when new virus definitions were downloaded.
  • If the Scan Type is Manual Scan and the file was not already in Quarantine, it is possible that the virus made changes to your local registry, to your startup files, or to both. To ensure complete removal of the virus, use our online Virus Encyclopedia to search for the Virus Name and follow the manual removal instructions for the virus.






Legacy ID



2003020310410148


Article URL http://www.symantec.com/docs/TECH100218


Terms of use for this information are found in Legal Notices