Endpoint Protection

 View Only

  • 1.  Infected flag not set in SEPM 12.1.1 MP1 console

    Posted Jun 08, 2012 05:29 AM

    Hello everyone,

     

    I am rather new in SEPM 12.1.1 MP1 and I do not really understand how the Infected flag is used in SEPM 12.1.1 MP1. I have been using SEPM 11 RU5, but it seems that the Infected flag is different in SEPM 12.1.1 MP1.

    I have a machine that has generated the following event:

    Risk Name Occurrences Description Actual Action Requested Action Secondary Action
    Trojan.Zeroaccess.B 1   Left alone Clean Quarantine

    As far as I understand from this, the trojan should be still there.

    If I search the machine in the SEPM console, the Infected flag is set to "Not infected".

    Please note that the machine is using a SEP 11 RU5 client that is being managed by a SEPM 12.1.1 MP1 server.

    Could anyone explain why the Infected flag is not activated even though the actual action was "Left alone"?

    Am I missinterpreting the logs?

     

    Thank you.



  • 2.  RE: Infected flag not set in SEPM 12.1.1 MP1 console

    Trusted Advisor
    Posted Jun 08, 2012 06:21 AM

    Hello,

    It is recommended that when migrating the SEPM to the Latest version, the clients are supposed to the migrated as well.

    SEP 11.x clients would surely be able to communicate with SEPM 12.1, however there are lot of changes in SEP 12.1 policies and features when compared to SEP 11.x.

    However, In your case, I would advise you to Run a Full Scan in Safe mode and check again.

    and 

    Check this Thread: https://www-secure.symantec.com/connect/forums/virus-found-left-alone

    Check these Articles:

    Explanation of Action field values in Symantec Endpoint Protection 11 and Symantec AntiVirus 10.1

    http://www.symantec.com/docs/TECH102052

    Best Practices for responding to "Left Alone" in the virus or threat history log

    http://www.symantec.com/docs/TECH101661

    Hope that helps!!



  • 3.  RE: Infected flag not set in SEPM 12.1.1 MP1 console

    Posted Jun 08, 2012 06:42 AM

    Thank you for your reply.

    I have just installed SEPM 12.1.1 MP1 and we are still in testing phase for the new SEP client settings, so I will also upgrade the clients, but not immediately.

     

    My problem is that I do not really know how to find out what machines are infected.

    If I go to Monitors->Logs and I select computer status with the Infected only compliance criteria set, I do not see any infected machine. I have set up notification to receive an email every time a malware is detected in the environment and I have at least 2 machines that are in the same situation as the one described above: auto-protect has found a malware, the actions should have been clean/quarantine and the actual action is leave alone.

    Should I ignore the report generated as described above and rely only on the report generated form Monitors->Logs->Risk and filter the report to just see the Left alone actual action?

    I am a little confused, as the people who actually clean the malware in the environment are not directly informed about the malware and I have to generate a report for them.

    I used to generate this report by using the sections in the Home page (Still infected). As this option does not meet my reuirements at the moment (it only reports the 12.1 and above clients), I have to use some other way of generating the report.

     

    Could you please suggest the best aproach for generating this report in order to make sure that it contains information about all the infected machines in the enviornment (no matter what client version is installed on the machine)?

    Thank you.



  • 4.  RE: Infected flag not set in SEPM 12.1.1 MP1 console

    Posted Jun 08, 2012 06:59 AM

    Try this report once.

    Monitor-->logs-->risk



  • 5.  RE: Infected flag not set in SEPM 12.1.1 MP1 console

    Posted Jun 08, 2012 07:08 AM

    I was hoping there would be some other way because, in this case, I can not rely on the AV engine turned off flag or any other of the compliance criteria either.

    And regarding you rsolution: I should either generate a report with all the malware detected in the environment (removed or not) either generate multiple reports for Left alone, No repair available, etc.

    I still do not understand one thing: am I right saying that the infected flag should have been set to Infected in this case?

     

    Thank you.



  • 6.  RE: Infected flag not set in SEPM 12.1.1 MP1 console

    Posted Jun 08, 2012 07:25 AM

    Can you upgrade the client in the question to SEP 12.1 and check once.



  • 7.  RE: Infected flag not set in SEPM 12.1.1 MP1 console

    Posted Jun 08, 2012 07:27 AM

    Unfortunately this is not a solution at the moment.



  • 8.  RE: Infected flag not set in SEPM 12.1.1 MP1 console

    Posted Jun 08, 2012 07:30 AM

    Have a look at this KB as well

    Client versions prior to 12.1 are not included in some reports.



  • 9.  RE: Infected flag not set in SEPM 12.1.1 MP1 console

    Posted Jun 08, 2012 07:43 AM

    I had already seen that article.

     

    I am not refering to the reports section. I saw that most of them are not valid with the SEP cleints older than 12.1 version.

    I was just wondering if the Infected flag is only valid for the 12.1 and later clients, as the checkbox to select the "Infected only" clients is a new feature in the Monitors->Logs->Computer status section.

    I am also not sure if the Infected flag is accurate anymore for the 11.x clients. If so, this is a very big problem in my opinion, as it was a very useful flag.

    If my fears are correct, this means that I have to filter the information from the Risk monitor in order to get the information I need.

     

    Can anyone confirm that the "Infected" flag from the SEPM 12.1 and later console is accurate only for the 12.1 and above clients?