Hi,
Thank you for posting in Symantec community.
If file present under temp folder does not exist then you can simply ignore that event because if SEP detects a malicious file attempting to write to the drive, it may deny the file access. A marker will be temporarily placed in the Temp directory, but no file actually exists. This can be verified by reviewing the location of the detection and checking for the presence of the detected file.
For other locations can manually check the file to take necessary action or can configure the settings suggested below.
Left alone means Symantec Endpoint Protection detected a risk but did not take action. This can occur if the first configured action is Leave alone or if the second configured action was Leave alone and the first configured action was not successful. This may mean that a risk is active on the endpoint.
To ger around of this change the client settings.
- Click on Change Settings in the SEP client console,
- Click on Antivirus and Antispyware Protection, Configure Settings and then switch to File System Auto-Protect tab and click on the Advanced button,
- Checkbox next to "Delete newly created infected files if the action is “Leave alone (log only)”
- You can enable this option to delete a new file that is infected with a type of risk that you configured Auto-Protect to leave alone.
- This does not apply to infected files already detected as infected by Auto-Protect with the status of "Leave alone (log only)", "Quarantined" or any other status since Auto-Protect runs in real-time it will only apply to those new detections.
- Although this is an added feature of protection you should be aware of a possible issue if you encounter false positive detections. Those files which are detected as infected may need to be restored from a backup.