Best Practices for responding to "Left Alone" in the virus or threat history log
|Article:TECH101661|||||Created: 2006-01-13|||||Updated: 2011-05-20|||||Article URL http://www.symantec.com/docs/TECH101661|
When Symantec AntiVirus (SAV) or Symantec Endpoint Protection (SEP) locates a risk, the result or "Action" taken is recorded in the risk history and displayed as "Left Alone".
1. Limited permissions: If Auto-Protect does not have the appropriate permissions to take action on the file attempting to execute, Symantec AntiVirus will show the status of left alone. In most cases you should also notice the file execution was denied access. This means while Auto-Protect is unable to Quarantine or Delete the file, it is still able to stop the file from executing.
2. Existing Risk: Once a risk has launched and potentially infected the system, the risk’s file is protected by the Windows Operating System due to the running process. Therefore, Auto-Protect will be unable to take action against the file while it is in use.
If you are using Symantec AntiVirus 10 or SEP 11.x, you may see a “Left Alone” action followed by a second message that shows the file/files were Quarantined or Deleted. This is due to the Side Effects Engine new to Symantec AntiVirus 10. The Side Effects engine has the ability to suspend the process which will allow Symantec AntiVirus to take action on the infected file. (NOTE: In some cases this requires a reboot and Symantec AntiVirus will display “Restart required” in the action dialog box)
In version prior to 10.x update the virus definitions, restart the system in Safe Mode and perform a manual scan. In many cases this will ensure the risk is no longer active, which will allow Symantec AntiVirus to take the appropriate action.
3. Action set to Leave Alone (Log Only): Should you choose to set the action to “Leave Along (Log Only)” Symantec AntiVirus will take different actions depending upon your advanced options setting. Please refer to the following document for further information:
4. File does not exist: If Symantec AntiVirus detects a malicious file attempting to write to the drive, it may deny the file access. A marker will be temporarily placed in the Temp directory, but no file actually exists. This can be verified by reviewing the location of the detection and checking for the presence of the detected file.
5. Defwatch Scanning: When Symantec AntiVirus updates the virus definitions a "DefWatch" scan is automatically run to determine if anything that has already been quarantined can be repaired with the new definitions. In Symantec AntiVirus 9.x and below only the quarantined items are scanned. Therefore, any scan of scan type "DefWatch" with the action “Left Alone” can be disregarded.
Additional Information on Defwatch Scans:
Title: 'Virus alert reports that an infected file was "Left Alone"'
Additional Information on Quick Scan (Symantec Antivirus 10.x only)
Title: 'About the Quick Scan feature in Symantec AntiVirus Corporate Edition 10.0'
Article URL http://www.symantec.com/docs/TECH101661