Video Screencast Help

Action to Still Infected & Suspicious

Created: 24 Jan 2013 • Updated: 05 Feb 2013 | 5 comments
This issue has been solved. See solution.

Hi All

Good Day...

We having SEP 12.1 RU1 MP 1 on our domain and SEPM Daily status report we are getting some of the incidents are still action required (Still Infected &  Suspicious & Quarantined ) what action that we have to take on these incidents  and why SEP is not able to take an appropriate action on the same ?

Which port SEPM uses to initiate a restart / run full scan?

Regards

Ajin

Comments 5 CommentsJump to latest comment

.Brian's picture

Did you confirm the client is clean? The SEPM should automatically remove it from the list once it determines it is clean. Client and server talk over 8014

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

We having SEP 12.1 RU1 MP 1 on our domain and SEPM Daily status report we are getting some of the incidents are still action required (Still Infected &  Suspicious & Quarantined ) what action that we have to take on these incidents  and why SEP is not able to take an appropriate action on the same ?

Still Infected - 

The "Still Infected" number will go down automatically as the threat is completely removed from the network.

This is a part of the enhanced management console.  The management server resets the Still Infected Status for a client computer once the computer is no longer infected. It gives a more accurate status for how many client computers really are infected.

Check this article

http://www.symantec.com/business/support/index?page=content&id=TECH165846

Suspicious - For such files, we recommend you to submit the Suspicious files to the Symantec Security Response Team to check if the susupicious files are Threats or Good files.

Quarantined - Symantec Endpoint Protection quarantined a file.

Quarantine is a special storage area that holds objects potentially infected with viruses. Potentially infected objects are objects that are suspected of being infected by viruses or modifications of them. Objects stored in Quarantine do not represent a threat to your computer. 

Check this Article:

Explanation of Action field values in Symantec Endpoint Protection 12.1 and 11, and Symantec AntiVirus 10.1

http://www.symantec.com/docs/TECH102052

 

Which port SEPM uses to initiate a restart / run full scan?

Port 8014 is used to send out commands. Check this Article:

http://www.symantec.com/docs/TECH160281

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SOLUTION
AjinBabu's picture

HI Mithun Sanghavi,

Thumbs up for your answer.

Regards

Ajin

pete_4u2002's picture

client communicates to SEPM on the port that is open (default 8014).

check if action are actually cleaned after the scan. Try to scan in safe mode.