Cleaning an infected system which lacks a functioning Symantec Endpoint Protection client
|Article:TECH105518|||||Created: 2008-01-31|||||Updated: 2014-09-03|||||Article URL http://www.symantec.com/docs/TECH105518|
On a computer infected with a threat, there is no installed Symantec Endpoint Protection (SEP) client. Alternately, the installed client has been damaged and the threat needs to be removed to allow the computer to returned safely to the network and normal usage. What tips are available to clean the computer?
If installed, the AntiVirus program fails to start, generates errors, completes its scan too quickly for the size of the drive, or otherwise finds no issue with the computer.
A threat specifically targeting AntiVirus applications may be preventing fully functional scans.
Running the SymHelp diagnostic tool with Threat Analysis Scan (TAS) will enable users to identify and remove malicious files. (This capability was referred to as Power Eraser in earlier releases of the tool.) No SEP client needs to be installed for this tool to function. For additional details, please see How to run the Threat Analysis Scan in Symantec Help (SymHelp).
Another option is to use the Symantec Endpoint Recovery Tool (SERT) LiveCD. See How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions.
There are two additional methods of removing malicious code from the drive, if the above are unsuccessful:
- Physically moving the hard drive to another system
- Mapping the drive and scanning across an isolated network connection
Physically moving the hard drive to another system
NOTE: If the drive in question is in a laptop, is in a RAID array or is otherwise unable to be removed from the computer hosting it, please follow the steps below labeled "Mapping the drive and scanning across an isolated network connection."
When performing this task, you will need to have available a known, clean computer with SEP installed with the latest Certified or Rapid Release virus definitions. The computer will also need a drive bay with all necessary power and controller cables to hold the hard drive. This system must also be isolated from your network entirely to avoid the potential for spreading the threat.
- Remove the hard drive from the system with the threat and install it to the clean system as a slave drive (Please consult your hard drive and/or motherboard/drive controller card documentation for proper steps to accomplish this).
- Boot the system and launch SEP and perform a full scan of the drive to remove any threats that are found.
- Once the drive has been verified as clean, you may return it to the original computer and attach that machine to the network.
Information on obtaining the current Certified and Rapid Release virus definitions can be found in the KB article How to Update Definitions for Symantec Endpoint Protection using the Intelligent Updater
Mapping the drive and scanning across an isolated network connection
NOTE: Use this method if you are unable to physically move the hard drive from the infected computer to a known, clean, isolated computer with SEP installed with current virus definitions.
When performing this task, you will need to have available a known, clean computer with SEP installed with the latest Certified virus definitions, or latest Rapid Release virus definitions This system must also be isolated from your network to avoid the potential for spreading the threat. The two systems should only be attached via a switch, dumb hub, or crossover cable. There should be no unnecessary external devices attached via USB or other means. Also insure that the two systems are truly isolated from your production network. If available, any wireless NIC should also be disabled on both systems via the Device Manager.
- Map to the C:\ partition of the infected computer from the clean system running the current revision of SEP.
- On the clean system, scan the mapped drive by clicking on the mapped volume in Network Neighborhood and selecting "Scan for Viruses..."
- When scanning, SEP will detect, quarantine or delete all threats found.
- When the mapped drive is verified as clean, you may restore the default sharing on the computer that was scanned and return it to the network.
If the infected computer is still operable when cleaned, remove the damaged version of the SEP client and perform a clean reinstall.
To obtain information on the current Certified and Rapid Release virus definitions, see the KB article How to Update Definitions for Symantec Endpoint Protection using the Intelligent Updater
Article URL http://www.symantec.com/docs/TECH105518