Endpoint Protection

 View Only

  • 1.  How Do I Clear "Infected" Status in SEPM 12.1 RU2?

    Posted Sep 17, 2013 05:53 PM

    So I'm trying to better understand how the "Infected" status works in SEPM 12.1. RU2.  As an example if I go under the Monitors -> Computer Status I find one machine that reports "Infected".  Looking at the details it appears that the file was on a removable drive and it's no longer plugged into that machine(hasn't been for about 4 months).  How do I go about clearing that status so it doesn't come up on my reports anymore and I don't keep sending tickets to the Local MIS to clean a machine that is no longer infected?

    Also, would you consider this to be the best approach for addressing "Infected" machines in the environment.  Pull a report from the Monitors -> Computer Status for all "Infected" machines and create tickets to have additional scanning done on these machines with other AV suites?

    Thanks,

    Mike



  • 2.  RE: How Do I Clear "Infected" Status in SEPM 12.1 RU2?
    Best Answer

    Posted Sep 17, 2013 06:01 PM

    It clears automatically. Put in a clean USB drive and run a full scan. Once determined clean, it will clear automatically.

    See this article for further detail:

    Cannot Delete the "Still Infected" Value From the Symantec Endpoint Protection Manager 12.1 Console

    http://www.symantec.com/docs/TECH165846



  • 3.  RE: How Do I Clear "Infected" Status in SEPM 12.1 RU2?

    Posted Sep 17, 2013 06:03 PM

    You cannot clear it manually , it was available in SEP 11.x

    All you need to do is run a full scan on these machines when new logs are updated to sepm the status will be cleared.

    If its showing removable drive then just plug in any other removalble drive and run a scan.

    https://www-secure.symantec.com/connect/forums/how-do-i-clear-infected-status-121



  • 4.  RE: How Do I Clear "Infected" Status in SEPM 12.1 RU2?

    Posted Sep 17, 2013 11:59 PM

    Hi

    You cannot clear it manually.  It will get cleared automatically

    Regards

     



  • 5.  RE: How Do I Clear "Infected" Status in SEPM 12.1 RU2?

    Trusted Advisor
    Posted Sep 18, 2013 05:10 AM

    Hello,

    In case, of SEPM 12.1, the "Still Infected" number will go down automatically as the threat is completely removed from the network.

    This is a part of the enhanced management console.  The management server resets the Still Infected Status for a client computer once the computer is no longer infected. It gives a more accurate status for how many client computers really are infected.

    In your case, initiate a full scan on the system. Entry would be removed from Still infected status.

    You can check the scan action and rescanning the identified computers by following the steps provided in the article below:

    http://www.symantec.com/docs/HOWTO80991

    Still Infected is a subset of Newly Infected, and the Still Infected count goes down as you eliminate the risks from your network. Computers are still infected if a subsequent scan would report them as infected. 

    For example, Symantec Endpoint Protection might have been able to clean a risk only partially from a computer, so Auto-Protect still detects the risk.

    The management server resets the Still Infected Status for a client computer once the computer is no longer infected. This should produce a more accurate status for how many client computers really are infected, rather than requiring user interaction to define a computer as clean.

    Check these Articles:

    Cannot Delete the "Still Infected" Value From the Symantec Endpoint Protection Manager 12.1 Console

    http://www.symantec.com/docs/TECH165846

    Secondly, I would suggest you to work on these Articles:

    Identifying the infected and at-risk computers

    http://www.symantec.com/docs/HOWTO80990

    Remediating risks on the computers in your network

    http://www.symantec.com/docs/HOWTO80936

    Hope that helps!!