Video Screencast Help

Clear Still infected status from Database

Created: 19 Dec 2011 • Updated: 28 Feb 2012 | 8 comments
This issue has been solved. See solution.

I am trying I am trying to figure out where in the database the still infected status flag is set.  Currently I have a script that can check for Devices still infected and automatically create the Help Desk ticket to clean the virus.  Now I need to find out how clear this status, so when the ticket is closed the still infected status is cleared.

 I was able to find the still infected devices, using the inventorycurrentrisk & inventorycurrentvirus tables to create the tickets but when I change the deleted from 0 to 1 it does not clear the still infected status in the console.    Any help on finding out how to clear this flag via the database would be greatly appreciated.

Comments 8 CommentsJump to latest comment

pete_4u2002's picture

I  searched using the remediation with the DB schema, you will have lot many tables which says infected, hence it would be difficult to know the exact field.

I would suggest to have this done from SEPM 11.X console . SEPM 12 does not have clear "still infected" status.

Chetan Savade's picture


Following steps are applicable in SEP 11.x

Login to the console

Monitors --> Logs --> Select log type, Computer status --> Click on view logs --> It will give you list of infected computer status --> Select all & click on clear infected status

Screenshot is attached for you reference.

I hope it will help you !!

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Mithun Sanghavi's picture


In your case, you may need the SEP 11 Schema.

Symantec Endpoint Protection 11.0 Database Schema

Latest Symantec™ Endpoint Protection Manager RU7 MP1 Database Schema Reference

and then also, Check these Articles:

1) Sweeping SEPM log data from the database manually.

2) How to clear an erroneous "Still Infected" status from Reports in the Symantec Endpoint Protection Manager

3) How to delete Quarantined items from the Symantec Endpoint Protection Manager.

Hope this helps!!!

Mithun Sanghavi
Associate Security Architect


Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

pbyers's picture

Since I already knew how to clear the status from console and gone through the database scheme with a fine tooth comb and could not find the location the console pulls this info from and could not find it.  I guess the answer is no one knows. 

This brings up another question soes anyone know how to force the computer to initiate a cleaned status to the server?

pbyers's picture

Finially found it.  Dug down into the PHP files, wasn't easy.  you can clear this status by changing the value of infected in the SEM_Agent table.  Hope this helps you all it will me

SameerU's picture

To clear the "Still Infected" status:

  1. Choose Monitors from the left hand panel, and click on the Logs tab.
  2. For Log Type, choose Computer Status.
  3. Choose the appropriate time range, then choose View Log.
  4. On the report that is generated, select any item that has a red diamond in the first column that has been verified as cleaned.
  5. Click Clear Infected Status.
Simpson Homer's picture

Thumbs up to Chetan's explanation..follow the same. wink

pbyers's picture

I guess i din't explain myself very well or the explination was not being read.  I was trying to clear the infected status via the database and not the console.  I did find where this is located. 

So for all those that do work outside the console here is where it is located.  You can clear the infected status by changing the value of infected in the SEM_Agent table.