Clean infected computers using the Symantec Endpoint Recovery Tool
|Article:TECH131732|||||Created: 2010-01-15|||||Updated: 2014-11-21|||||Article URL http://www.symantec.com/docs/TECH131732|
This article describes how to clean a computer with a persistent threat infection using the Symantec Endpoint Recovery Tool (SERT).
About the Symantec Endpoint Recovery Tool
The Symantec Endpoint Recovery Tool (SERT) is a bootable CD that can scan and remove malware from an infected computer. SERT is useful in situations where computers are too heavily infected for the Symantec Endpoint Protection client installed upon them to clean effectively. It is also necessary against specific threats which have the ability to completely hide from Windows, or that have techniques that manipulate Windows into protecting the malicious process against Symantec Endpoint Protection's scanning and remediation components.
Symantec Technical Support can provide guidance on when it is recommended to use SERT.
To use the Symantec Endpoint Recovery Tool
- On a computer that is not infected and has a CD burner, go to FileConnect and download the SERT ISO file.
- Download the latest virus definition .jdb file from Symantec Security Response.
There are two types of virus definitions you can download: Daily Certified Definitions and Rapid Release Definitions. The links to both definitions are listed below.
- Daily Certified Definitions are standard virus definitions. They are the default set of definitions, which is distributed normally to clients. Certified definitions have been through the full QA process for false positives or other issues. http://www.symantec.com/security_response/definitions/download/detail.jsp?gid=sep
- Rapid Release definitions contain newer, more up-to-date definitions than Daily Certified Definitions. They are generally recommended in cases of virus infections. Rapid Release definitions are typically used on a case-by-case basis and are not recommended for everyday use across the entire environment. Rapid Release definitions have not been tested as thoroughly as Daily Certified Definitions.
The preferred download location is: ftp://ftp.symantec.com/AVDEFS/symantec_antivirus_corp/rapidrelease/sequence/ - from there select the most recent sequence folder, if the .jdb file is not present check the next most recent sequence folder.
The alternative location is located at http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr
- Using an unzipping utility, unzip the .jdb file into a new folder.
Note: It is possible to use the built-in Windows unzip utility to unzip the .jdb file. To do so, change the file extension on the .jdb file to .zip, right-click the file, and click "Extract All...".
- After the .jdb is uncompressed, place the folder on a removable storage device or in at the root of the infected computer's hard drive so that the Symantec Endpoint Recovery Tool can access the definitions.
You may also modify the SERT ISO to directly use the new definitions: rename the unzipped folder to yyyymmdd.rrr (the date/revision of the definitions, found in the unzipped files at bottom of text file catalog.dat under [VerInfo]). Use an ISO editor to open the SERT ISO and drop the new numbered folder into /sources/symantec_nbrt/virusdef, delete the old numbered folder, and change definfo.dat and usage dat accordingly and save the ISO changes.
- Burn the SERT ISO onto a CD or DVD (it will likely require a DVD with the increasing size of virus definition updates).
- Confirm that the infected computer boots from CD or removable media first.
Refer to the computer's manual for information on configuring the computer appropriately.
- Boot the infected computer from the SERT disc created in step 5.
- Click Continue loading Endpoint Recovery Tool
- Select a language and click OK.
- When presented with the Symantec Software License Agreement, click I Agree.
NOTE: Symantec customers with a valid support contract may contact Technical Support for the necessary PIN.
- If you did not already modify the SERT in step 4 to directly to user the latest definitions: If a network connection is detected, the Symantec Endpoint Recovery Tool attempts to download the latest virus definitions. If the computer is isolated from the network, or if it is unable to download definitions for any reason, click Browse for Virus Definitions, and browse to the folder to which you unzipped the virus definitions.
- Verify that the virus definitions have been loaded by looking in the lower right-hand corner of the screen. Virus definitions current as of should reflect the current date.
- Make sure that Save scan session information is checked. Saving the scan session allows you to undo any modifications made by the tool.If needed, you can change the location where the scan session information will be stored. To do so, click Change location and select the preferred location.
- Click Start Scan.
For full details, read Symantec Endpoint Recovery Tool (SERT) download comes as an ISO (disk image), How do I use this?
To undo a previous scan
Warning: This action will also restore any threats and other security risks removed during the scan.
- If you need to undo the actions of a previous scan, in the main screen, click Undo.
- Select the session you want to restore, and click Undo.
Article URL http://www.symantec.com/docs/TECH131732