Video Screencast Help
New Company Name and Logo Announced. Learn More.

How to handle infections that aren't detected by SEP

Created: 21 Jun 2013 | 9 comments

We have a third party service that detects when our machines are attemping to connect to known bot networks.  When we receive these alerts, we send a desktop technician to take a look at the machine.  Sometimes they run a SEP 12 scan, which doesn't detect anything.  (If SEP 12 were able to detect it, it would have stopped it in the first place, since it is configured to run in memory.)

For machines in this state, where you know something is wrong, but you can't find any evidence of that with SEP, what should you do?  Is there another Symantec tool that is recommended, or are we supposed to just find another third party tool to get a "second opinion" on the machine?

Operating Systems:

Comments 9 CommentsJump to latest comment

Brɨan's picture

Check this KBA:

Scanning a file with a competitor's antivirus program detects a virus, but scanning with Symantec AntiVirus or Symantec Endpoint Protection does not

Article:TECH98929  |  Created: 2000-01-06  |  Updated: 2012-09-13  |  Article URL

You can try the Symantec Power Eraser.

About Symantec Power Eraser

Article:TECH134803  |  Created: 2010-01-09  |  Updated: 2013-05-07  |  Article URL

How to run Symantec Power Eraser with the SymHelp utility

Article:TECH203683  |  Created: 2013-03-08  |  Updated: 2013-05-23  |  Article URL

You can use the SymHelp tool to submit suspicious processes

How to collect and submit to Symantec Security Response suspicious files found by the SymHelp utility

Article:TECH203027  |  Created: 2013-02-21  |  Updated: 2013-05-23  |  Article URL

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

ed16's picture

Thanks.  Power Eraser sounds helpful, but I can't figure out how to download it.  All links lead me to Symantec Help...

Brɨan's picture

Yes, it is run from SymHelp tool, no standalone download. Check the link I posted above on how to run SPE from SymHelp.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

ed16's picture

Unfortunately, I tried it from SymHelp and it doesn't work.  I select Power Eraser, check the rootkit box, and it reboots my system, but nothing happens.  I tried 3 times.

W007's picture


You can raised support ticket

Eliminating viruses and security risks

Article:HOWTO27280  |  Created: 2010-01-08  |  Updated: 2010-01-15  |  Article URL

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Mick2009's picture

Hi Ed16,

The logs that the SEP clients are sending to the SEPM are often a great way to identify which files are suspicious on which clients.  Here's an illustrated article that may be of interest:

Using SEPM Alerts and Reports to Combat a Malware Outbreak

With thanks and best regards,


SameerU's picture


If you find any suspicious files please submit to the following link


sealchan's picture

Unless a rootkit is suspected you can still get the bulk of the value from Symantec Power Eraser without running the rootkit scan.  There is also Load Point Analysis in SymHelp, another threat analysis tool.  Symantec Power Eraser gives you the ability to remove suspicious files.  Load Point Analysis gives you more information about the file and can be run on a system that is not connected to the Internet.

Reference the following document for links to more information:

Google: SymHelp FAQ

SebastianZ's picture

If Power Eraser is not working you can have a check with SERT tool as well:

How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions

Article:TECH131732  |  Created: 2010-01-15  |  Updated: 2012-06-25  |  Article URL

Beside the scan few more articles regarding the prevention:

Security Best Practices for stopping malware and other threats

Common loading points for viruses, worms, and Trojan horse programs on Windows 2000/XP/2003

Adjusting scans to increase protection on your client computers

Monitoring endpoint protection