Video Screencast Help

Cannot Clear "Still Infected" on Home Screen

Created: 16 Jan 2008 • Updated: 26 Sep 2010 | 14 comments

When I log into SEP Monitor, it says that I have 4 "Still Infected".  I click on the link and it shows me the names of the computers.  There are 3 machines (one with 2 risks).  The "Status Last Updated" shows dates in November and December of 2007.  At the top of this pseudo report, it tells me:

"Infected events flag computers as infected. Once you have verified that a computer is not infected, you can clear the infected status of the computer on the Computer Status Logs page."

First of all, a search of the "documentation" for "Computer Status Logs" reveals NOTHING.  So I had to go through the monitor interface to find this.  I think I have found this under MONITORS / LOGS.  I had to run a log type of "Computer Status".  I set the date range to the past year.  After the report runs, I find the three machines in that report and they aren't showing they have an infection.  So how do I clear the HOME screen of the Monitor??

If a Symantec Tech reads this and wants me to open a phone support ticket, I will.  I have another question/problem and I'll create another ticket for it.  Thanks for your help!

EDIT:

I forgot to include my version etc.  I'm running SEP 11.0.1000 on an XP 32bit system.



Message Edited by Joltman on 01-16-2008 07:36 AM

Comments 14 CommentsJump to latest comment

24hourtek's picture
I'm having the same problem.  I'll call Symantec today if I can't figure this out.
Joltman's picture

@24hourtek

Did you end up calling Symantec about this issue?  Did they have an answer?

Uffehbg's picture
Whats is the status in this thread?
I Have the same problem it says infected but the files are removed and the warning wont go away in the manager console.
 
Uffe
Fabian-H's picture
Hi ! I also have the same problem .. you are not alone :)
 
Does anyone talked to symantec about it?  
24hourtek's picture
I called Symantec and it's really easy to fix.  I feel like a moron.
 
1.  Log into Symantec Endpoint Protection manager
2.  Select Monitors
3.  Select Logs
     Log Type:  Computer Status
     Use a saved filter: Default
     Time Range:  Past 3 Months
4.
 
24hourtek's picture
I called Symantec and it's really easy to fix.  I feel like a moron.
 
1.  Log into Symantec Endpoint Protection manager
2.  Select Monitors
3.  Select Logs
     Log Type:  Computer Status
     Use a saved filter: Default
     Time Range:  Past 3 Months
4.  Click View Log
5.  Highlight the infected computer and click "Clear Infected Status"
6.  Log out and log back into SEPM to see
 
Also, if you want to adjust tolerences for warnings on the home page, click "Preferences" in the Security Status section. 
 
Cheers.
 
 
 



Message Edited by 24hourtek on 01-25-2008 10:23 AM

Joltman's picture

I'd love to say that this worked for me.  It did not.  I knew about this method to remove the warning from clicking on the Infected link on the home page.  The instructions there are VERY poor.  This is the message you get:

Infected events flag computers as infected. Once you have verified that a computer is not infected, you can clear the infected status of the computer on the Computer Status Logs page.

So the first question I asked myself was, "Where's the Computer Status Logs page?"  I first thought I'd search the documentation to find it.  I searched the exact phrase and just "Computer Status Logs" and could find nothing.  How helpful!  I finally stumbled upon the logs.  I searched the two machines showing the issue, and low and behold, SEP thinks they're clean.  In that report, if you see a red mark next to the computer, SEP thinks it's infected.  If you see a green mark, then SEP thinks it's fine.  I find the machine, hightlight it, and hit the Clear Infected Status and I get:

0 of 1 selected computers were infected and are now cleared.

That doesn't help me much considering SEP doesn't clear out the home page.  Very annoying.  I really don't want to open a ticket for this.  Any Symantec employees reading this?

Jim

Dwayne Gibson's picture

This worked for me as well. Not like it's in an abvious place or anything. I guess that is always the case when you move to new software.

jsnyder's picture

Joltman,

I have the exact same issue you do.  My Still Infect report lists machines as infected but when I check the computer status logs the machine itself has the Green checkmark indicating it isn't infected.  If I select the machine and try to clear the infected status I get the "0 of 1 selected computers is listed as infected."

I can find no way to clear the "still infected" risks if the SEPM is not showing the computer as infected in the status logs.

Now, this issue actually existed in the old SAV Reporting server and was related to two tables not staying in sync, inventorycurrentrisk and inventorycurrentvirus.  Apparently how it worked in the old SAV reporting mechanism was that any threat not cleaned would be recorded into these tables.  Once a machine was marked as clean the corresponding records would be removed from these two tables.  This never worked properly for me, so I found that when I deleted records from these two tables manually it fixed my issue.

However, being that the SEPM database is so finicky I don't want to go about doing this manually. 

Symantec - is there a way to remove "still infected" risks from the report when a machines is not listed as infected in the SEPM?  Can the data in these two tables be cleared out manually without consequence?

Jeff

mjpavon@dakamericas.com.ar's picture

Hi, I had the same issue. In my case the computers was originally infected some time in March. For some issues the PC had, we decided to re-image that PC but we forgot to clear the infected status in the COMPUTER STATUS LOG in the MONITOR SECTION. So when the PC was ready and clean after being re-imaged the SEP11 home report would still show 2 records of this PC as STILL INFECTED, BUT when one would go to the COMPUTERS STATUS REPORT, that PC was showing as not infected, so there was no way to perform successfully the CLEAR INFECTED STATUS command.
The SOLUTION: I went back to the report definition and CHANGED THE TIME RANGE to PAST MONTH (It is se to 24 hours by default) and re-ran the report. This time, the computer in question showed twice, with different IP addresses, and one of those records (the oldest) DID SHOW THE COMPUTER AS INFECTED. So I just selected it and CLEARED the infected status. Then after one minute the HOME REPORT reflected this action. I hope this can be of any help.

MARCELO from Argentina.

wjlight's picture

Clearing an infected status setting from the log is counter-intuitive for me.  I am used to logs recording application history and events.  I would much prefer to see the ability to clear the infected status available by right clicking on the client.

Perhaps in a future release?

tcole-hatch's picture

Agree.   Although using the Monitors - Logs page allows you to eventually clear the status of "still infected" computers, I agree that Symantec should provide a more direct method from the "still infected" hyperlink to accomplish this.   When you click on the "still infected" list, you should be able to clear selected notices at that point.   Similar to the way you clear unacknowledged alerts on the console home page.

  
  

 

dotnetcrash's picture

So i struggled with this as well. That was until i noticed that it was only giving me 20 computers per page (!!!). So then i clicked to the next page highlighted all the machines and clicked clear events, then the next page, and the next, and so on for 5 or 6 pages. VERY ANNOYING> but it seems to be par the course with this product. Why cant we go back to symantec corporate 9? it actually worked and was WAYYYY more intuative. I hate this product.