Explanation of Action field values in Symantec Endpoint Protection 12.1 and 11, and Symantec AntiVirus 10.1

Article:TECH102052  |  Created: 2006-01-20  |  Updated: 2012-11-27  |  Article URL http://www.symantec.com/docs/TECH102052
Article Type
Technical Solution


You view information about a virus detection or a risk detection and you need to know what the entry in the "Action" field means.


The following table describes the different values that can appear in the Action field in Symantec Endpoint Protection and Symantec AntiVirus 10.1.

Action Description
Quarantined Symantec Endpoint Protection quarantined a file
Deleted Symantec Endpoint Protection deleted an object, such as a file or registry key, to remove a risk.
Backed Up Symantec Endpoint Protection placed an item into quarantine before a repair attempt.
Left Alone Symantec Endpoint Protection detected a risk but did not take action. This can occur if the first configured action is Leave alone or if the second configured action was Leave alone and the first configured action was not successful. This may mean that a risk is active on the endpoint.
Cleaned Specifies the events where the software cleaned a virus from the computer.
Cleaned (or Macro Deleted) Specifies the events where a macro virus was cleaned from a file either by deletion or some other means. This action applies only to the events that have been received from the computers that run Symantec Endpoint Protection 8.x or earlier versions.
Undone Action taken on specified risk has been undone due to user request.
Bad Symantec Endpoint Protection could not take action on a file because the file is write-protected or because the SYSTEM account lacks write permissions to the file.
Pending Repair Specifies the events where a user still needs to take action to complete the remediation of a risk on a computer. For example, this action may occur if a user hasn't responded to a prompt to terminate a process.
Partially Repaired Specifies the events where Symantec Endpoint Protection cannot completely repair the effects of a virus or security risk.
Process Termination pending restart Specifies the events where a computer needs to be restarted to terminate a process to mitigate a risk.
Excluded Specifies the events where users chose to exclude a security risk from detection.
Restart processing The user must restart the computer so that Symantec Endpoint Protection can complete the configured action.
Cleaned by Deletion Specifies the events where the action configured was Clean, but a file was deleted because that was the only way it can be cleaned. For example, this action is generally needed for Trojan horse programs.
Access Denied Specifies the events where Auto-Protect prevented a file from being created.
Process Terminated Specifies the events where a process had to be terminated on a computer to mitigate a risk.
No repair available Specifies the events where a risk was detected but no repair is available for the side effects of this risk.
All actions failed Specifies the events where both the primary action and the secondary action that were configured for the risk cannot be carried out. These risks are still present on the computer.
Suspicious Specifies the events where a TruScan Proactive Threat Scan detected a potential risk but has not remediated it. Symantec Endpoint Protection did not remediate the risk either because it cannot or because you have configured it to only log detections
Details Pending The results after a detection have not been received/determined yet. After a detection SAV/SEP will collect data on what needs to be cleaned up. This process takes longer to complete so while it is happening the “Details Pending” status will be displayed.  Review other log entries to see the updated status.
Detected using commercial application list Process listed on the commercial application list was detected, and an action was taken on it based on your configuration. The CAL is updated by Symantec to have known keyloggers and remote application programs updated dynamically, which you could then configure actions around.
Forced detection using file name Forced detections are detections made by TRUSCAN using a file name. This was part of the “discovery mode” of TRUSCAN being able to gather additional file information based on instructions from the console.
Forced Detection using file hash Forced detection of a file based on a file hash. This is a TRUSCAN feature where an admin can configure the product to always log when a given file is detected running on a client machine based on that file’s file hash.


Legacy ID


Article URL http://www.symantec.com/docs/TECH102052

Terms of use for this information are found in Legal Notices