Best Practices for responding to "Left Alone" in the virus or threat history log

Article:TECH101661  |  Created: 2006-01-13  |  Updated: 2013-11-05  |  Article URL http://www.symantec.com/docs/TECH101661
Article Type
Technical Solution

Product(s)

Issue



When Symantec AntiVirus (SAV) or Symantec Endpoint Protection (SEP) locates a risk, the result or "Action" taken is recorded in the risk history and displayed as "Left Alone".


Solution



1.    Limited permissions: If Auto-Protect does not have the appropriate permissions to take action on the file attempting to execute, Symantec AntiVirus will show the status of left alone. In most cases you should also notice the file execution was denied access. This means while Auto-Protect is unable to Quarantine or Delete the file, it is still able to stop the file from executing.

2.    Existing Risk: Once a risk has launched and potentially infected the system, the risk’s file is protected by the Windows Operating System due to the running process. Therefore, Auto-Protect will be unable to take action against the file while it is in use.

If you are using Symantec AntiVirus 10 or SEP 11.x, you may see a “Left Alone” action followed by a second message that shows the file/files were Quarantined or Deleted. This is due to the Side Effects Engine new to Symantec AntiVirus 10. The Side Effects engine has the ability to suspend the process which will allow Symantec AntiVirus to take action on the infected file. (NOTE: In some cases this requires a reboot and Symantec AntiVirus will display “Restart required” in the action dialog box)

In version prior to 10.x update the virus definitions, restart the system in Safe Mode and perform a manual scan. In many cases this will ensure the risk is no longer active, which will allow Symantec AntiVirus to take the appropriate action.

3.    Action set to Leave Alone (Log Only): Should you choose to set the action to “Leave Alone (Log Only)” Symantec AntiVirus will take different actions depending upon your advanced options setting. Please refer to the following document for further information:

Title: 'How the "Leave Alone" Action works in Symantec AntiVirus'

 4.    File does not exist:  If Symantec AntiVirus detects a malicious file attempting to write to the drive, it may deny the file access.  A marker will be temporarily placed in the Temp directory, but no file actually exists.  This can be verified by reviewing the location of the detection and checking for the presence of the detected file.

5.    Defwatch Scanning: When Symantec AntiVirus updates the virus definitions a "DefWatch" scan is automatically run to determine if anything that has already been quarantined can be repaired with the new definitions. In Symantec AntiVirus 9.x and below only the quarantined items are scanned. Therefore, any scan of scan type "DefWatch" with the action “Left Alone” can be disregarded.

However, in Symantec AntiVirus 10.x and SEP 11.x a new feature called "Quickscan" is also run once the quarantine scan has been completed. Therefore, when running Symantec AntiVirus 10 or SEP 11.x it is possible to see a risk outside of quarantine "Left Alone" by Defwatch. In this case it is important to look for a second action of Deleted/Quarantined once the Side Effects engine suspends the process and attempts to take action.



Legacy ID



2006011308151248


Article URL http://www.symantec.com/docs/TECH101661


Terms of use for this information are found in Legal Notices