Video Screencast Help

Symantec Endpoint Recovery Tool (SERT)

Created: 22 Mar 2013 • Updated: 29 Mar 2013 | 19 comments
Language Translations
Mithun Sanghavi's picture
+16 16 Votes
Login to vote

Hello,

The Symantec Endpoint Recovery Tool (SERT) is a bootable CD that can scan and remove malware from an infected computer. SERT is useful in situations where computers are too heavily infected for the Symantec Endpoint Protection client installed upon them to clean effectively. It is also necessary against specific threats which have the ability to completely hide from Windows, or that have techniques that manipulate Windows into protecting the malicious process against Symantec Endpoint Protection's scanning and remediation components.

Symantec Technical Support can provide guidance on when it is recommended to use SERT.

Current Version : Symantec Endpoint Recovery Tool 2.0.24

New functionality:

  • SERT no longer downloads new virus definitions automatically on launch, instead it waits until you start a scan. If you have already provided updated definitions on a USB stick, it does not initiate the download
  • SERT now includes PCAnywhere ThinClient to enable remote control of the machine to be scanned
  • SERT now includes support for Symantec Endpoint Encryption 8.0 and earlier
  • SERT now has better rootkit remediation capabilities

To use the Symantec Endpoint Recovery Tool

1) On a computer that is not infected, and that has a CD burner, go to FileConnect and download the Symantec Endpoint Recovery Tool.iso file.

sert_fileconnect_latest_offerings.png
 

2) Burn the image onto a CD or DVD.

For full details, read: Symantec Endpoint Recovery Tool (SERT) download comes as an ISO (disk image), How do I use this?

1_0.JPG

 

2.JPG

 

3) Download the latest virus definition .jdb file from Symantec Security Response.

There are two types of virus definitions you can download: Daily Certified Definitions and Rapid Release Definitions. The links to both definitions are listed below.

13.JPG

 

  • Rapid Release definitions contain newer, more up-to-date definitions than Daily Certified Definitions. They are generally recommended in cases of virus infections. Rapid Release definitions are typically used on a case-by-case basis and are not recommended for everyday use across the entire environment. Rapid Release definitions have not been tested as thoroughly as Daily Certified Definitions. http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr

14.JPG

 

4) Using an unzipping utility, unzip the .jdb file into a new folder.

Note: It is possible to use the built-in Windows unzip utility to unzip the .jdb file. To do so, change the file extension on the .jdb file to .zip, right-click the file, and click "Extract All...".

5) After the .jdb is uncompressed, place the folder on a removable storage device or in at the root of the infected computer's hard drive so that the Symantec Endpoint Recovery Tool can access the definitions.

6) Confirm that the infected computer boots from CD or removable media first. Please refer to the computer's manual for information on configuring the computer appropriately.

7) Boot the infected computer from the SERT disc created in step 2.

 

3_0.jpg

 

8) Click Continue loading Endpoint Recovery Tool

01.png

 

5_1.jpg

 

9) Select a language and click OK

.02.png

 

10) When presented with the Symantec Software License Agreement, Insert the PIN and click I Agree. 

NOTE: Symantec customers with a valid support contract may contact Technical Support for the necessary PIN.

http://www.symantec.com/docs/TECH159200

7_0.jpg
 

5_1.jpg

11) If a network connection is not available, you can use the "Browse for Virus Definitions" in the lower right. The Step 3, 4 and 5 explains how to download the .jdb file and extract the files on the USB drive. SERT no longer downloads new virus definitions automatically on launch; instead it waits until you start a scan.

If you have already provided updated definitions on a USB stick, it does not initiate the download. (Definitions included with 2.0.24 are dated 25 March 2013. Some of these images were taken without a network connection.)

9.jpg

 

12) Verify that the virus definitions have been loaded by looking in the lower right-hand corner of the screen. Virus definitions current as of should reflect the current date.

 

10.jpg

 

13) Make sure that Save scan session information is checked.

Saving the scan session allows you to undo any modifications made by the tool.

If needed, you can change the location where the scan session information will be stored. To do so, click  Change location and select the preferred location.

14) Click Start Scan.

10a_0.png

 

15) This is the interface you see when the scan is running.

 

10b_0.png

 

 

Menu options:

Advanced: includes only "Launch Command Prompt":

10e_0.png

 

About: Shows the following:

11.jpg

 

To undo a previous scan

Warning: This action will also restore any threats and other security risks removed during the scan.

  1. If you need to undo the actions of a previous scan, in the main screen, click Undo.
  2. Select the session you want to restore, and click Undo.

12.jpg

 

NOTE: Security administrators interesting in enhancing the capabilities of SERT may be interested in the Connect Forum article on 

How to Customize Symantec Endpoint Recovery Tool (3rd Party Utility Integration)

https://www-secure.symantec.com/connect/articles/how-customize-symantec-endpoint-recovery-tool-3rd-party-utility-integration

The above document contains detailed instructions about how to boot SERT from a USB, how to add additional third-party functionality, and how to update SERT's definitions.  

Please do note that this white paper is unsupported and Symantec Technical Support cannot offer assistance on those steps.

 

For convenience, here are links to Symantec's brief articles containing the supported steps:

System Requirements documentation for the Symantec Endpoint Recovery Tool (SERT) 

http://www.symantec.com/docs/TECH134882

Symantec Endpoint Recovery Tool (SERT) download comes as an ISO (disk image). How do I use this? 

http://www.symantec.com/docs/TECH131685

How to make the Symantec Endpoint Recovery Tool boot from a USB memory stick

http://www.symantec.com/docs/TECH131578

What does the full scan from the Symantec Endpoint Recovery Tool (SERT) CD scan ? 

http://www.symantec.com/docs/TECH150491

How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions

http://www.symantec.com/docs/TECH131732

VIDEO: 

Symantec Endpoint Recovery Tool (SERT)

https://www-secure.symantec.com/connect/videos/symantec-endpoint-recovery-tool-sert

Comments 19 CommentsJump to latest comment

_Brian's picture

Is the PIN needed each time you use SERT? If so, that means I need to provide to every one of my remote technicians. I'm not sure I understand the logic behind this if that is the case.

Brian

0
Login to vote
_Brian's picture

Understood but without having a FileConnect serial number, you can't even get the tool.

0
Login to vote
Mithun Sanghavi's picture

Hello,

The PIN is required so as to understand you are carrying a valid support contract.

Secondly, once the SERT is downloaded from the Fileconnect, you may create a DVD. You can pass on the PIN number to your collegues who are using the SERT tool.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

0
Login to vote
_Brian's picture

Doesn't having access to FileConnect make the assumption that you already have a valid support contract? You need to enter a serial number to download anything from FileConnect, which is provided by support.

0
Login to vote
Mithun Sanghavi's picture

Hello,

I agree. However, this is by design.

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

0
Login to vote
RicheeDiaz's picture

Thanks Mithun for the Wonderful Article with Proper Screenshots.

Thanks

Richard

+1
Login to vote
Dipesh89's picture

Thanks for the article.It was helpful.

+1
Login to vote
Ambesh_444's picture

Hi Mithun,

Thumbs up for your article.

Very nice and simple article..!!!!!     Cheersssssss!!!!!!!!

 

Thank& Regards,

Ambesh

"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."

+1
Login to vote
AjinBabu's picture

Nice. Much informative.

Regards

Ajin

0
Login to vote
Mick2009's picture

One alternative to this SERT tool is Power Eraser.  Here's a good article:

Symantec Power Eraser using Symantec Help (SymHelp) Tool.
https://www-secure.symantec.com/connect/articles/symantec-power-eraser-using-symantec-help-symhelp-tool

With thanks and best regards,

Mick

+1
Login to vote
KalpeshParmar's picture

Hi,

thanks for sharing info.

+1
Login to vote
azasadny's picture

Good write-up, but not a very useful tool...

0
Login to vote
_Brian's picture

Why not?

0
Login to vote
azasadny's picture

I've never had this tool help me in any way. Norton Power Eraser (NPE) is running about 50% effective, but SERT has never assisted me in remediating a client.

0
Login to vote
nwranich's picture

Awesome write up.  Thanks!

0
Login to vote
KalpeshParmar's picture

Hi

50 percent aggreed  with azasadny

 

0
Login to vote
Alex Scar's picture

That's really superb!!

0
Login to vote
cbc_ictadmin's picture

How long would you expect a scan to take on a windows 7 build?

 

Ran a test scan on 2x laptops to familiarise myself (no viruses) and the scan literally finished in seconds (0 items scanned), is this right?

 

Thanks, Steve

 

0
Login to vote