Virus alert reports that an infected file was "Left Alone"

Article:TECH98719  |  Created: 2000-01-27  |  Updated: 2007-01-09  |  Article URL http://www.symantec.com/docs/TECH98719
Article Type
Technical Solution


Environment

Issue



You see a Virus Alert from Symantec AntiVirus Corporate Edition or Norton AntiVirus Corporate Edition.

The alert reports that the file was "Left Alone." You want to know why Symantec or Norton AntiVirus did not repair or quarantine the file. The Virus Alert message reports "Clean Failed - Quarantine Failed - Action Left Alone Succeeded."

If you clear the "Virus Found" status from the Symantec System Center, then the "Virus Found" status eventually reappears, and you see another Virus Alert from Symantec or Norton AntiVirus. The Virus Alert reports the same virus in the same file. You want to know why this message keeps reappearing and how you can finally get rid of the virus.


Solution




Before you begin:
  • The software is working as designed. The Virus Alert messages are generated when Virus Definitions are updated and the Quarantined files are rescanned. However, the location of the quarantined files was being misreported by Norton AntiVirus 7.x.
  • If you see a "Left Alone" status that was reported by a manual or scheduled scan, this is a result of an actual infection.
    Read the document You see a "Left Alone" status as the result of a manual or scheduled scan for more information.


With Norton AntiVirus 7.x, the "Current Location" of the infected file is displayed as a directory on the hard drive. When you investigate the report at the client computer, you cannot find the file in the "Current Location" that was reported by the Virus Alert. This has been corrected in Symantec AntiVirus, and the "Current Location" will show as Quarantine.

The following is an explanation and describes what can be done to resolve the problem at this time.

This Virus Alert message is notification that Symantec or Norton AntiVirus has received a new set of definitions and scanned Quarantined files to see if it could clean or repair the files with the latest definition set. "Clean Failed" refers to the failed attempt to clean the Quarantined file. "Quarantine Failed" refers to the failed attempt to move the file to Quarantine, since the file is already contained in Quarantine. "Action Left Alone Succeeded" indicates that no action was taken on the Quarantined file. The Quarantined file will be left alone until the next set of definitions arrive.

When Quarantined files cannot be repaired, Symantec or Norton AntiVirus report the file as infected and "Left Alone," but Norton AntiVirus 7.x indicates the original location of the infected file and not the current Quarantine location.


Note: Infected files that are backed up will continue to trigger virus alerts when you have realtime protection configured to backup files before attempting repair. To stop alerts, the infected files that are backed up must be deleted.


To stop these reappearing "Virus Found" messages
  1. Go to the client and delete all files from the Quarantine user interface.
    If you prefer to delete quarantined files using the Symantec System Center, then see the document How to delete quarantined files on clients using the Symantec System Center.
  2. Symantec AntiVirus has a Quarantine Purge function.
    See the document How to configure the Quarantine Purge function of Symantec AntiVirus Corporate Edition for more information.
  3. Go to the client and delete all files from the Quarantine folder. For Windows 95 or 98, the Quarantine folder is located in the directory where Symantec or Norton AntiVirus is installed.
    For Windows NT/2000/XP/2003, the location varies, depending on your version of Symantec or Norton AntiVirus:
    • In Norton AntiVirus 7.0x, the default location is
      \Program Files\NAVNT\Quarantine
    • In Norton AntiVirus 7.5x/7.6/8.x, the location for Windows NT is
      \WinNT\Profiles\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine
    • In Norton AntiVirus 7.5x/7.6/8.x, the location for Windows 2000/XP/2003 is
      \Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine
    • In Symantec AntiVirus 9.x, the location for Windows NT is one of the following:
      \WinNT\Profiles\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine
      \WinNT\Profiles\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine
    • In Symantec AntiVirus 9.x, the location for Windows 2000/XP/2003 is one of the following:
      \Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine
      \Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine

To prevent repeating messages on quarantined files in the future
  1. Start Symantec System Center and unlock the server group.
  2. Right-click the server group, and then click All Tasks > Norton AntiVirus or Symantec AntiVirus > Quarantine Options.
  3. Under When new virus definitions arrive, click Do Nothing.


Note: Quarantined files must be repaired manually from the Symantec System Center or the client's Quarantine user interface. When you access the Quarantine files, a pop-up will appear with the text: "Updated virus definitions have been delivered to the computer Norton AntiVirus may be able to repair infected items in Quarantine." Clicking OK will allow Symantec or Norton AntiVirus to attempt a repair.






Legacy ID



2000032714423348


Article URL http://www.symantec.com/docs/TECH98719


Terms of use for this information are found in Legal Notices