How to run the Threat Analysis Scan in Symantec Help (SymHelp)

Article:TECH215519  |  Created: 2014-03-03  |  Updated: 2014-07-10  |  Article URL
Article Type
Technical Solution


There is evidence that malware is on a system but anti-malware software is not able to remediate it.  Assistance is required to determine which files on the system may be malware.



Symantec Help (SymHelp) is a diagnostic utility used to help automate support for multiple Symantec products.  SymHelp features a utility, the Threat Analysis Scan, that can help to identify suspicious files on a system.  For more information about SymHelp...

TECH170735: 'About Symantec Help (SymHelp)'

How to run a Threat Analysis Scan

1.  Download SymHelp...

TECH170752: 'Symantec Help (SymHelp) Download'

2.  Accept the EULA...

3.  Click the button 'Run Threat Analysis Scan'


4.  In the Threat Analysis Scan dialog click the 'Scan' button to begin a scan

Note: For users of SymHelp v2.1.21 and earlier the equivalent scan options for the previous scans are...

  • Load Point Analysis -- leave the default options in place
  • Symantec Power Eraser -- ensure that the reputation database is available (green checkmark) and, optionally, uncheck 'Expanded assessment for Support'


5.  If a connection to the Symantec Reputation database cannot be established a link to a proxy configuration dialog will be offered.  You can run a scan without connectivity to the Symantec Reputation database but not all of the features available in the Threat Analysis Scan will be available.  (See TECH215550: 'About Threat Analysis Scan')


6.  If the scan is run with access to the Symantec Reputation database, once the scan is complete a list of files requiring further investigation is displayed.  Options include...

  • Copying files to one or more zip containers in preparation for submission to the Security Response online submission web site
  • Removing files
  • Filtering the files displayed
  • Examining data collected about the files

Note: Unless otherwise instructed, if you are working with Symantec Support, do not remove any suspicious files unless you have copied files into a zip container.  Symantec Support may request that you submit suspicious files to the proper web site so that they can be analyzed by Security Response.  Do not send any suspicious files to a Symantec support agent directly even if they are zipped and password protected.


7. If you are working with Symantec Support or if you have run the scan without connection to the Symantec Reputation database, save the Threat Analysis Scan.  Choose the 'Save' tab to display the Save page in SymHelp.  Select the directory to save to and click 'Save'.  This will produce a file with the extension .sdbz.  This file does not contain any copies of suspicious files so it is safe to send directly to Symantec support.


8.  To complete a scan that was run without connectivity to the Symantec Reputation database run SymHelp on a system with access to the Internet and from the Home page, in the menu at the top, choose File > Open Report and open the saved .sdbz.  Select the 'Threat Analysis' tab and then click the 'Complete Report' button.


For more information about SymHelp...

TECH203496: 'Symantec Help (SymHelp) FAQ'


Article URL

Terms of use for this information are found in Legal Notices