Video Screencast Help

How do I clear the infected status in 12.1?

Created: 19 Jan 2012 | 11 comments

In SEP 11.0.6, if you go to the Logs tab from the Monitors icon, you can select the infected computer and select the "Clear infected status" from the list of available options.  It used to be accessed using the "Computer Status" report, viewable by clicking the "View Log" button.

Where is this in 12.1?  Or do we need to worry about it?  The option in the same area doesn't exist.

Thanks.

Comments 11 CommentsJump to latest comment

_Brian's picture

In there, click on Compliance options and tick the box for infected only

A few more options have also been added.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

dan43's picture

Brian81, I have been all through the options on the Monitors tab and cannot find anything for clearing the infected status in the Compliance options.  Can you take me on a step-by-step tour in getting there?  Who's bright idea was it to put the clearing the infected status in the Compliance options?  It just doesn't make sense to put it there.

_Brian's picture

In the SEPM

Go to Monitors >> Logs >> Select the Computer Status log

Click Advanced Settings

Click Compliance Settings

Check Infected Only

Click View Log

Does this not show for you?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

pete_4u2002's picture

The "Still Infected" number will go down automatically as the threat is completely removed from the network.

This is a part of the enhanced management console.  The management server resets the Still Infected Status for a client computer once the computer is no longer infected. It gives a more accurate status for how many client computers really are infected.

check this article

http://www.symantec.com/business/support/index?page=content&id=TECH165846

phimanshuj@gmail.com's picture

 

How to clear an erroneous "Still Infected" status from Reports in the Symantec Endpoint Protection Manager

http://service1.symantec.com/SUPPORT/ent-security....

la_ripper's picture

Hi Guys, 

 

The information pete provided is right. 

 

In 11 .0.x even though the threat didnt exist in the network the still infected count would still show up. 

However 12.1 has an enhancement .The security status would automatically clear the still infected status once the threat is no more in the network . This is added advantage. Since it is automatically clearing it we do not require an option to delete. 

Don't forget to mark your thread as 'solved'  or vote with the answer that best helped you!
 

SameerU's picture

Please do the following:

 

Stop the Symantec Endpoint Protection Manager service

    1. Click Start, then Run
    2. Type services.msc
    3. Click OK
    4. Locate and right-click Symantec Endpoint Protection Manager in the list, then click Stop

  1. Open Windows Explorer and navigate to the following folder; back up all files residing in this folder before proceeding:

    \Program Files\Symantec\Symantec Endpoint Protection Manager\data\inbox\agentinfo

  2. After backing up the files, delete the contents of the folder so that the agentinfo folder is empty
  3. Start the Symantec Endpoint Protection Manager service
    1. Click Start, then Run
    2. Type services.msc
    3. Click OK
    4. Locate and right-click Symantec Endpoint Protection Manager in the list, then click Start

  4. Log into the Symantec Endpoint Protection Manager
    • Go into Monitors & Logs and clear any remaining clients of their infected status
    • The homepage should now update the "still infected" field

 

Regards

Regards

pete_4u2002's picture

SEP 12.1 does not have clear still infected button as in SEP 11.

kavin's picture

The infected status wil get cleared automatically, once the infection is been taken care.

you cannot manually clear it in SEP 12.1

NyQuil64's picture

While I understand that the manager will automatically clear the infected status, that does not work well for those systems that get decommissioned soon after they report an infected status.

Our environement is large enough that we cannot keep track of workstation attrition and we are required to keep systems in our database for 30 days, unless we know they have gone away.

So please bring back the "Clear Infected Status" button!

I think the manual option must stay, if you don't trust the AV admins (which taking away this option seems to imply) then they shouldn't have SEPM access.

Remember...
Where ever you go...
There you are.

megamanVI's picture

I agree.  This feature should be put back on.  So many forum parts, KB articles, etc refer to the 'clear infected status button'.  I finally found out eventually that the feature was removed from 12.1 altogether.