Cleaning an infected system with no or a damaged install of Symantec Endpoint Protection/Symantec AntiVirus

Article:TECH105518  |  Created: 2008-01-31  |  Updated: 2009-01-13  |  Article URL http://www.symantec.com/docs/TECH105518
Article Type
Technical Solution


Environment

Issue



On a computer infected with a threat, there is no installed Symantec Endpoint Protection/Symantec AntiVirus (SEP/SAV) AntiVirus client, or the installed AntiVirus client has been damaged and the threat needs to be removed to allow the computer to returned safely to the network and normal usage.

Symptoms
If installed, the AntiVirus program fails to start, completes its scan too quickly for the size of the drive, or otherwise finds no issue with the computer.



Cause



A threat specifically targeting AntiVirus applications may be preventing fully functional scans.

Solution



In these circumstances there are two methods of removing malicious code from the drive:
  • Physically moving the hard drive to another system
  • Mapping the drive and scanning across an isolated network connection

Physically moving the hard drive to another system

NOTE: If the drive in question is in a laptop, is in a RAID array or is otherwise unable to be removed from the computer hosting it, please follow the steps below labeled "Mapping the drive and scanning across an isolated network connection."

When performing this task, you will need to have available a known, clean computer with SEP/SAV installed with the latest Certified virus definitions, or latest Rapid Release virus definitions and a drive bay to hold the drive with all necessary power and controller cables. This system must also be isolated from your network entirely to avoid the potential for spreading the threat.
  1. Remove the hard drive from the system with the threat and install it to the clean system as a slave drive (Please consult your hard drive and/or motherboard/drive controller card documentation for proper steps to accomplish this).
  2. Boot the system and launch SEP/SAV and perform a full scan of the drive to remove any threats that are found.
  3. Once the drive has been verified as clean, you may return it to the original computer and attach that machine to the network.

Information on obtaining the current Certified and Rapid Release virus definitions can be found in the KB article How to update definitions for Symantec Endpoint Protection 11.0 using the Intelligent Updater

Mapping the drive and scanning across an isolated network connection

NOTE: Use this method if you are unable to physically move the hard drive from the infected computer to a known, clean, isolated computer with SEP/SAV installed with current virus definitions.

When performing this task, you will need to have available a known, clean computer with SEP/SAV installed with the latest Certified virus definitions, or latest Rapid Release virus definitions This system must also be isolated from your network to avoid the potential for spreading the threat. The two systems should only be attached via a switch, dumb hub, or crossover cable. There should be no unnecessary external devices attached via USB or other means. Also insure that the two systems are truly isolated from your production network. If available, any wireless NIC should also be disabled on both systems via the Device Manager.
  1. Map to the C:\ partition of the infected computer from the clean system running the current revision of SEP/SAV.
  2. On the clean system, scan the mapped drive by clicking on the mapped volume in Network Neighborhood and selecting "Scan for Viruses..."
  3. When scanning, SEP/SAV will detect, quarantine or delete all threats found.
  4. When the mapped drive is verified as clean, you may restore the default sharing on the computer that was scanned and return it to the network.

If the infected computer is still operable when cleaned, remove the damaged version of the SAV or SEP client and perform a clean reinstall.

To obtain information on the current Certified and Rapid Release virus definitions, see the KB article How to update definitions for Symantec Endpoint Protection 11.0 using the Intelligent Updater





Legacy ID



2008073110031748


Article URL http://www.symantec.com/docs/TECH105518


Terms of use for this information are found in Legal Notices