Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

How Do I Clear "Infected" Status in SEPM 12.1 RU2?

Created: 17 Sep 2013 • Updated: 08 Oct 2013 | 4 comments
This issue has been solved. See solution.

So I'm trying to better understand how the "Infected" status works in SEPM 12.1. RU2.  As an example if I go under the Monitors -> Computer Status I find one machine that reports "Infected".  Looking at the details it appears that the file was on a removable drive and it's no longer plugged into that machine(hasn't been for about 4 months).  How do I go about clearing that status so it doesn't come up on my reports anymore and I don't keep sending tickets to the Local MIS to clean a machine that is no longer infected?

Also, would you consider this to be the best approach for addressing "Infected" machines in the environment.  Pull a report from the Monitors -> Computer Status for all "Infected" machines and create tickets to have additional scanning done on these machines with other AV suites?

Thanks,

Mike

Operating Systems:

Comments 4 CommentsJump to latest comment

.Brian's picture

It clears automatically. Put in a clean USB drive and run a full scan. Once determined clean, it will clear automatically.

See this article for further detail:

Cannot Delete the "Still Infected" Value From the Symantec Endpoint Protection Manager 12.1 Console

http://www.symantec.com/docs/TECH165846

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SOLUTION
Rafeeq's picture

You cannot clear it manually , it was available in SEP 11.x

All you need to do is run a full scan on these machines when new logs are updated to sepm the status will be cleared.

If its showing removable drive then just plug in any other removalble drive and run a scan.

https://www-secure.symantec.com/connect/forums/how-do-i-clear-infected-status-121

SameerU's picture

Hi

You cannot clear it manually.  It will get cleared automatically

Regards

Mithun Sanghavi's picture

Hello,

In case, of SEPM 12.1, the "Still Infected" number will go down automatically as the threat is completely removed from the network.

This is a part of the enhanced management console.  The management server resets the Still Infected Status for a client computer once the computer is no longer infected. It gives a more accurate status for how many client computers really are infected.

In your case, initiate a full scan on the system. Entry would be removed from Still infected status.

You can check the scan action and rescanning the identified computers by following the steps provided in the article below:

http://www.symantec.com/docs/HOWTO80991

Still Infected is a subset of Newly Infected, and the Still Infected count goes down as you eliminate the risks from your network. Computers are still infected if a subsequent scan would report them as infected. 

For example, Symantec Endpoint Protection might have been able to clean a risk only partially from a computer, so Auto-Protect still detects the risk.

The management server resets the Still Infected Status for a client computer once the computer is no longer infected. This should produce a more accurate status for how many client computers really are infected, rather than requiring user interaction to define a computer as clean.

Check these Articles:

Cannot Delete the "Still Infected" Value From the Symantec Endpoint Protection Manager 12.1 Console

http://www.symantec.com/docs/TECH165846

Secondly, I would suggest you to work on these Articles:

Identifying the infected and at-risk computers

http://www.symantec.com/docs/HOWTO80990

Remediating risks on the computers in your network

http://www.symantec.com/docs/HOWTO80936

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.