How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions

Article:TECH131732  |  Created: 2010-01-15  |  Updated: 2014-04-23  |  Article URL http://www.symantec.com/docs/TECH131732
Article Type
Technical Solution


Issue



You need to know how to use the Symantec Endpoint Recovery Tool (SERT) to help clean a computer with a persistent threat infection.


Solution



About the Symantec Endpoint Recovery Tool

The Symantec Endpoint Recovery Tool (SERT) is a bootable CD that can scan and remove malware from an infected computer. SERT is useful in situations where computers are too heavily infected for the Symantec Endpoint Protection client installed upon them to clean effectively. It is also necessary against specific threats which have the ability to completely hide from Windows, or that have techniques that manipulate Windows into protecting the malicious process against Symantec Endpoint Protection's scanning and remediation components.

Symantec Technical Support can provide guidance on when it is recommended to use SERT.

To use the Symantec Endpoint Recovery Tool

  1. On a computer that is not infected, and that has a CD burner, go to FileConnect and download the Symantec Endpoint Recovery Tool.iso file.

  2. Burn the image onto a CD or DVD.

  3. For full details, read Symantec Endpoint Recovery Tool (SERT) download comes as an ISO (disk image), How do I use this?

  4. Download the latest virus definition .jdb file from Symantec Security Response.

    There are two types of virus definitions you can download: Daily Certified Definitions and Rapid Release Definitions. The links to both definitions are listed below.


  5. Using an unzipping utility, unzip the .jdb file into a new folder.

    Note: It is possible to use the built-in Windows unzip utility to unzip the .jdb file. To do so, change the file extension on the .jdb file to .zip, right-click the file, and click "Extract All...".

  6. After the .jdb is uncompressed, place the folder on a removable storage device or in at the root of the infected computer's hard drive so that the Symantec Endpoint Recovery Tool can access the definitions.

  7. Confirm that the infected computer boots from CD or removable media first.

    Refer to the computer's manual for information on configuring the computer appropriately.

  8. Boot the infected computer from the SERT disc created in step 2.

  9. Click Continue loading Endpoint Recovery Tool

  10. Select a language and click OK.

  11. When presented with the Symantec Software License Agreement, click I Agree.

    NOTE: Symantec customers with a valid support contract may contact Technical Support for the necessary PIN.

  12. If a network connection is detected, the Symantec Endpoint Recovery Tool attempts to download the latest virus definitions. If the computer is isolated from the network, or if it is unable to download definitions for any reason, click Browse for Virus Definitions, and browse to the folder to which you unzipped the virus definitions.

  13. Verify that the virus definitions have been loaded by looking in the lower right-hand corner of the screen. Virus definitions current as of should reflect the current date.

  14. Make sure that Save scan session information is checked. Saving the scan session allows you to undo any modifications made by the tool.If needed, you can change the location where the scan session information will be stored. To do so, click Change location and select the preferred location.

  15. Click Start Scan.


To undo a previous scan


Warning: This action will also restore any threats and other security risks removed during the scan.

  1. If you need to undo the actions of a previous scan, in the main screen, click Undo.
  2. Select the session you want to restore, and click Undo.



Security administrators interesting in enhancing the capabilities of SERT may be interested in the Connect Forum article on How to Customize Symantec Endpoint Recovery Tool. That document contains detailed instructions about how to boot SERT& from a USB, how to add additional third-party functionality, and how to update SERT's definitions. Please do note that this white paper is unsupported and Symantec Technical Support cannot offer assistance on those steps.





Article URL http://www.symantec.com/docs/TECH131732


Terms of use for this information are found in Legal Notices