When checking the Symantec Web Gateway I noticed it shows one client infected and the status active. When I click on the client that is infected it shows action taken: blocked. Even though it shows blocked, but it classifies the client as infected? This worried me, so I am running a full Symantec Endpoint Protection scan. I attached a document of what Im seeing. Why would the client show as infected if the threat was blocked? Any info I'd appreciate.
Attachment(s)
We see phone home traffic coming from the client. We are blocking it since you most likely do not want that to go out, and we mark the client as infected so you know to go and clean it up.
Thanks. So, I did a full scan from Symantec Endpoint Protection and it doesnt show any risks or infections. When you say clean it up, what do I do to clean it up exactly?
The screen shot you posted shows that we see traffic from what looks like a screen saver. Some screen savers will gather data from your client, possibly even keystrokes, and send them to a server.
Okay. Thanks for the insight. So, I need to see if there has been an screen saver installed and remove it from the client or better yet just wipe the PC? I wonder why SEP 12.1 hasn't detected anything?