The Symantec Endpoint Recovery Tool (SERT) is a bootable CD that can scan and remove malware from an infected computer. SERT is useful in situations where computers are too heavily infected for the Symantec Endpoint Protection client installed upon them to clean effectively. It is also necessary against specific threats which have the ability to completely hide from Windows, or that have techniques that manipulate Windows into protecting the malicious process against Symantec Endpoint Protection's scanning and remediation components.
Symantec Technical Support can provide guidance on when it is recommended to use SERT.
Current Version : Symantec Endpoint Recovery Tool 2.0.24
- SERT no longer downloads new virus definitions automatically on launch, instead it waits until you start a scan. If you have already provided updated definitions on a USB stick, it does not initiate the download
- SERT now includes PCAnywhere ThinClient to enable remote control of the machine to be scanned
- SERT now includes support for Symantec Endpoint Encryption 8.0 and earlier
- SERT now has better rootkit remediation capabilities
To use the Symantec Endpoint Recovery Tool
1) On a computer that is not infected, and that has a CD burner, go to FileConnect and download the Symantec Endpoint Recovery Tool.iso file.
2) Burn the image onto a CD or DVD.
For full details, read: Symantec Endpoint Recovery Tool (SERT) download comes as an ISO (disk image), How do I use this?
3) Download the latest virus definition .jdb file from Symantec Security Response.
There are two types of virus definitions you can download: Daily Certified Definitions and Rapid Release Definitions. The links to both definitions are listed below.
- Daily Certified Definitions are standard virus definitions. They are the default set of definitions, which is distributed normally to clients. Certified definitions have been through the full QA process for false positives or other issues. http://www.symantec.com/business/security_response/definitions.jsp
- Rapid Release definitions contain newer, more up-to-date definitions than Daily Certified Definitions. They are generally recommended in cases of virus infections. Rapid Release definitions are typically used on a case-by-case basis and are not recommended for everyday use across the entire environment. Rapid Release definitions have not been tested as thoroughly as Daily Certified Definitions. http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr
4) Using an unzipping utility, unzip the .jdb file into a new folder.
Note: It is possible to use the built-in Windows unzip utility to unzip the .jdb file. To do so, change the file extension on the .jdb file to .zip, right-click the file, and click "Extract All...".
5) After the .jdb is uncompressed, place the folder on a removable storage device or in at the root of the infected computer's hard drive so that the Symantec Endpoint Recovery Tool can access the definitions.
6) Confirm that the infected computer boots from CD or removable media first. Please refer to the computer's manual for information on configuring the computer appropriately.
7) Boot the infected computer from the SERT disc created in step 2.
8) Click Continue loading Endpoint Recovery Tool
9) Select a language and click OK
10) When presented with the Symantec Software License Agreement, Insert the PIN and click I Agree.
NOTE: Symantec customers with a valid support contract may contact Technical Support for the necessary PIN.
11) If a network connection is not available, you can use the "Browse for Virus Definitions" in the lower right. The Step 3, 4 and 5 explains how to download the .jdb file and extract the files on the USB drive. SERT no longer downloads new virus definitions automatically on launch; instead it waits until you start a scan.
If you have already provided updated definitions on a USB stick, it does not initiate the download. (Definitions included with 2.0.24 are dated 25 March 2013. Some of these images were taken without a network connection.)
12) Verify that the virus definitions have been loaded by looking in the lower right-hand corner of the screen. Virus definitions current as of should reflect the current date.
13) Make sure that Save scan session information is checked.
Saving the scan session allows you to undo any modifications made by the tool.
If needed, you can change the location where the scan session information will be stored. To do so, click Change location and select the preferred location.
14) Click Start Scan.
15) This is the interface you see when the scan is running.
Advanced: includes only "Launch Command Prompt":
About: Shows the following:
To undo a previous scan
Warning: This action will also restore any threats and other security risks removed during the scan.
- If you need to undo the actions of a previous scan, in the main screen, click Undo.
- Select the session you want to restore, and click Undo.
NOTE: Security administrators interesting in enhancing the capabilities of SERT may be interested in the Connect Forum article on
How to Customize Symantec Endpoint Recovery Tool (3rd Party Utility Integration)
The above document contains detailed instructions about how to boot SERT from a USB, how to add additional third-party functionality, and how to update SERT's definitions.
Please do note that this white paper is unsupported and Symantec Technical Support cannot offer assistance on those steps.
For convenience, here are links to Symantec's brief articles containing the supported steps:
System Requirements documentation for the Symantec Endpoint Recovery Tool (SERT)
Symantec Endpoint Recovery Tool (SERT) download comes as an ISO (disk image). How do I use this?
How to make the Symantec Endpoint Recovery Tool boot from a USB memory stick
What does the full scan from the Symantec Endpoint Recovery Tool (SERT) CD scan ?
How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions
Symantec Endpoint Recovery Tool (SERT)