Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Action Taken - What does they mean?

Created: 08 Jun 2009 • Updated: 21 May 2010 | 9 comments
This issue has been solved. See solution.

Hi Team,

While we were making our weekly report... it puzzled me why Symantec had so many options for action taken that looks very redundant...
Please help in explaining the real meaning to it...

Thanks...

Action Taken:

Terminate Process Required
Quarantined
Reboot Required - Reboot Processing
Reboot Processing
Cleaned
Cleaned by deletion
Deleted
Left alone
Partial
Details pending
Process termination pending restart
Partially repaired
Pending Analysis

Comments 9 CommentsJump to latest comment

Paul Murgatroyd's picture

start here: http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/16179a5b53c4d21b8825722c00680866?OpenDocument

come back for those you don't understand

Also bear in mind that "Left Alone" actually means "blocked, but unable to remove"  We never actually do nothing - even if we cannot get rid of the file, we still block whatever its trying to do and log "Left Alone"

Paul Murgatroyd
Principal Product Manager, Symantec Endpoint Protection
Endpoint twitter feed: http://twitter.com/symc_endpoint

SOLUTION
Adminnnnnn's picture

In that document, it states that "Details Pending" means details are not yet available.  I have risk events that have occurred on a machine almost a week ago for which the status is still "Details Pending" and the affected machine has been continuously on the wire since the detection.  How long will it be until details are available...if ever?

Nel Ramos's picture

ok i will check for its meaning and come back for those not included...
so the left alone really is blocked by symantec? is that right?
thanks...

Nel Ramos

Nel Ramos's picture

Action
Description

Access denied
Auto-Protect prevented a file from being created.

Action failed
Symantec AntiVirus was unable to perform the action.

Attachment stripped
Symantec AntiVirus removed an attachment that contained a risk from an email message.

Bad
Symantec AntiVirus could not take action on a file because the file is write-protected or because the SYSTEM account lacks write permissions to the file.

Cleaned
Symantec AntiVirus cleaned a virus from the computer.

Cleaned by deletion
Symantec AntiVirus cleaned a virus from the computer. The action configured was "clean," but a file
was deleted because that was the only way it could be cleaned.

For example, this is generally true of Trojan horse programs.

Cleaned or macros deleted
Symantec AntiVirus cleaned a macro virus from a file either by deletion or some other means. This applies only to events received from computers that run Symantec AntiVirus 8.x or earlier.

Deleted
Symantec AntiVirus deleted an object, such as a file or registry key, to remove a risk.

Details pending
Details are not yet available about this action.

Excluded
A user chose to exclude a security risk from detection. This can occur, for example, when a user is prompted for permission to terminate a process.

Firewall violation
Symantec Client Firewall blocked traffic that constituted a firewall violation.

IPS block
Symantec Client Firewall's Intrusion Prevention protection technology blocked a suspicious behavior.

Left alone
Symantec AntiVirus detected a risk but did not take action.

This can occur if the first configured action is Leave alone or if the second configured action was Leave alone and the first configured action was not successful. This may mean that a risk is active on the endpoint.

Partial
Partially repaired
Symantec AntiVirus could not completely repair the effects of a virus or security risk. This status appears when the second action is set to "Leave Alone," and Symantec AntiVirus could not complete all remediation actions.

Pending repair
A user still needs to take action to complete the remediation of a risk on a computer.

This may occur, for example, if a user hasn’t responded to a prompt to terminate a process.

Quarantined
Symantec AntiVirus quarantined a file.

Reboot pending
The user must restart the computer so that Symantec AntiVirus can complete the configured action.

Reboot processing
Symantec AntiVirus detected a threat that requires a restart for full remediation. Symantec AntiVirus is taking the needed steps to prepare for a restart. When complete, the status changes to "Reboot pending."

Suspicious
Symantec AntiVirus detected and remediated a suspicious event, but details about the actions that
were taken are not available.

This action typically applies to computers that run legacy software. One example is the case where an Internet browser creates a temporary file that contains maliciouEXs data. Auto-Protect scans this data and prevents it from being written to the computer. The event retains the name of the temporary
file, but the file is never actually created, so it cannot be located on the computer.

Nel Ramos

Nel Ramos's picture

Thanks Ajitjha... its the same as Paul Murgatroyd's reply.

Nel Ramos

Ajit Jha's picture

I never notice what others posts i have KB database in ma PC wwhich i got from symantec. it helps me sending u the exact link. Thats what i did. Now i will visit what paul's link says

Regard's

Ajit Jha

Technical Consultant

ASC & STS

Nel Ramos's picture

Dont worry friend...
I know you wanted to help...
thanks..

Nel Ramos

Pink Panther's picture

Guys,

Can a reboot be avoided in case of Reboot processing and required? I mean to remove it, maybe some registry trick. The Delete action button is greyed out even if risk is highlighted.

Thanks

PP