How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions
|Article:TECH131732|||||Created: 2010-01-15|||||Updated: 2014-04-23|||||Article URL http://www.symantec.com/docs/TECH131732|
You need to know how to use the Symantec Endpoint Recovery Tool (SERT) to help clean a computer with a persistent threat infection.
About the Symantec Endpoint Recovery Tool
The Symantec Endpoint Recovery Tool (SERT) is a bootable CD that can scan and remove malware from an infected computer. SERT is useful in situations where computers are too heavily infected for the Symantec Endpoint Protection client installed upon them to clean effectively. It is also necessary against specific threats which have the ability to completely hide from Windows, or that have techniques that manipulate Windows into protecting the malicious process against Symantec Endpoint Protection's scanning and remediation components.
Symantec Technical Support can provide guidance on when it is recommended to use SERT.
To use the Symantec Endpoint Recovery Tool
- On a computer that is not infected, and that has a CD burner, go to FileConnect and download the Symantec Endpoint Recovery Tool.iso file.
- Burn the image onto a CD or DVD.
- Download the latest virus definition .jdb file from Symantec Security Response.
There are two types of virus definitions you can download: Daily Certified Definitions and Rapid Release Definitions. The links to both definitions are listed below.
- Daily Certified Definitions are standard virus definitions. They are the default set of definitions, which is distributed normally to clients. Certified definitions have been through the full QA process for false positives or other issues. http://www.symantec.com/security_response/definitions/download/detail.jsp?gid=sep
- Rapid Release definitions contain newer, more up-to-date definitions than Daily Certified Definitions. They are generally recommended in cases of virus infections. Rapid Release definitions are typically used on a case-by-case basis and are not recommended for everyday use across the entire environment. Rapid Release definitions have not been tested as thoroughly as Daily Certified Definitions.
The preferred download location is: ftp://ftp.symantec.com/AVDEFS/symantec_antivirus_corp/rapidrelease/sequence/ - from there select the most recent sequence folder, if the .jdb file is not present check the next most recent sequence folder.
The alternative location is located at http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr
- Using an unzipping utility, unzip the .jdb file into a new folder.
Note: It is possible to use the built-in Windows unzip utility to unzip the .jdb file. To do so, change the file extension on the .jdb file to .zip, right-click the file, and click "Extract All...".
- After the .jdb is uncompressed, place the folder on a removable storage device or in at the root of the infected computer's hard drive so that the Symantec Endpoint Recovery Tool can access the definitions.
- Confirm that the infected computer boots from CD or removable media first.
Refer to the computer's manual for information on configuring the computer appropriately.
- Boot the infected computer from the SERT disc created in step 2.
- Click Continue loading Endpoint Recovery Tool
- Select a language and click OK.
- When presented with the Symantec Software License Agreement, click I Agree.
NOTE: Symantec customers with a valid support contract may contact Technical Support for the necessary PIN.
- If a network connection is detected, the Symantec Endpoint Recovery Tool attempts to download the latest virus definitions. If the computer is isolated from the network, or if it is unable to download definitions for any reason, click Browse for Virus Definitions, and browse to the folder to which you unzipped the virus definitions.
- Verify that the virus definitions have been loaded by looking in the lower right-hand corner of the screen. Virus definitions current as of should reflect the current date.
- Make sure that Save scan session information is checked. Saving the scan session allows you to undo any modifications made by the tool.If needed, you can change the location where the scan session information will be stored. To do so, click Change location and select the preferred location.
- Click Start Scan.
For full details, read Symantec Endpoint Recovery Tool (SERT) download comes as an ISO (disk image), How do I use this?
To undo a previous scan
Warning: This action will also restore any threats and other security risks removed during the scan.
- If you need to undo the actions of a previous scan, in the main screen, click Undo.
- Select the session you want to restore, and click Undo.
Security administrators interesting in enhancing the capabilities of SERT may be interested in the Connect Forum article on How to Customize Symantec Endpoint Recovery Tool. That document contains detailed instructions about how to boot SERT& from a USB, how to add additional third-party functionality, and how to update SERT's definitions. Please do note that this white paper is unsupported and Symantec Technical Support cannot offer assistance on those steps.
Article URL http://www.symantec.com/docs/TECH131732