Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Integrity of the files after cleaning a Virus

Created: 11 Feb 2013 • Updated: 11 Feb 2013 | 6 comments
This issue has been solved. See solution.

Hi All,

Good Day..

We are using Sep 12.1 RU1 MP1, what will happen to the integrity of a file after cleaning a virus

For example : having a doc / zip file with virus effected and sep has removed/ Quarantined  the virus  from that file after the removal will it able to open on normal way ?

If no what can be the remedy for it ?

Regards

Ajin

Comments 6 CommentsJump to latest comment

Ashish-Sharma's picture

Check this

Restoring a false positive file detection from the Symantec Endpoint Protection quarantine

Article:TECH150607 | Created: 2011-01-28 | Updated: 2011-01-28 | Article URL http://www.symantec.com/docs/TECH150607

Thanks In Advance

Ashish Sharma

AjinBabu's picture

Hi A@shish,

Thanks for your response.

The tech article 150607 is says more about false positive file detection.

What will happen that if an actual virus found on a file and SEP removes the virus from it and on this time weather the integrity of the file remain the same or it will change? If it changes the file will become unusable on this scenario what can be the remedy?

Regards

Ajin

Brɨan's picture

It will sit in quarantine for the time specified in the SEPM. Each time new defs arrive the quarantine will be scanned to see if it can remedy it. If not, it will not be recoverable.

If SEP has removed (deleted) the file, it is not recoverable.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

SebastianZ's picture

A quote from the SEP client guide:

"When Symantec Endpoint Protection repairs a virus-infected file, you do not need
to take further action to protect your computer. If the client quarantines a security
risk-infected file, and then removes and repairs it, you do not need to take
additional action.

You might not need to act on a file, but you might want to perform an additional
action on the file. For example, you might decide to delete a cleaned file because
you want to replace it with an original file."

"If Symantec Endpoint Protection finds an infection soon after the infection occurs,
the infected file might be fully functional after the client cleans it. In some
instances, however, Symantec Endpoint Protection may clean an infected file that
a virus already damaged. For example, Symantec Endpoint Protection might find
a virus that damages a document file. Symantec Endpoint Protection removes the
virus but cannot repair the damage inside the infected file."

...personally I believe the integrity of the file may be compromised depending on the level of infection. As mentioned above intghe quote the virus may demage the file - and even after the threat is repaired/cleaned the damage remains. With low level risk a successfull repair may not impact the affected file's integrity at all. With severe infection even if cleaned as recommendation goes is to delete the cleaned file as well and restore/recreate the original one if possible.

When it comes to .zip archives infection may be concering either the archive itself or the files within the archive - if it is the second scenario the repair if successful would probably not impact the integrity of the other files in the archive.

Mithun Sanghavi's picture

Hello,

It completely depends on the how much the file is infected. Once the file is infected, SEP tries to clean it as per it's present available definitions.

Incase it is not getting cleaned, then it would be moved to Quarantine. 

Quarantine is a special storage area that holds objects potentially infected with viruses. Potentially infected objects are objects that are suspected of being infected by viruses or modifications of them. Objects stored in Quarantine do not represent a threat to your computer. 

Once new Definitions are downloaded, the Latest definitions would scan the files in the Quarantine and later try to clean it again and possibly restore.

Incase if there is no remedy, then it is then deleted.

Check these Articles:

Managing the Quarantine

http://www.symantec.com/docs/HOWTO55236

How to Manage Quarantined files.

http://www.symantec.com/docs/TECH106443

Specify when quarantined files are automatically deleted

http://www.symantec.com/docs/HOWTO55238

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SOLUTION
Chetan Savade's picture

Hi,

You should first try to understand difference between Removed and Quarantined.

If the file is infected, SEP tries to clean it with the available definitions.

In-case it is not getting cleaned, then it would be moved to Quarantine & will be scanned against new released definitions.

As per the SEP client guide you do not need to take additional action.

So answer to your questions is as per below:

For example : having a doc / zip file with virus effected and sep has removed/ Quarantined  the virus  from that file after the removal will it able to open on normal way ?

--> It will be depend upon what action SEP has taken against it.

If no what can be the remedy for it ?

--> I don't think there is any remedy however backup prior to the infection will be the possible alternative.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<