Video Screencast Help

Manual Scan is unable to clean a detected virus on a mapped network share

Created: 05 Jan 2012 • Updated: 23 Jan 2013 | 7 comments
This issue has been solved. See solution.

Most of our data is stored on a "Netapp" data filer. The SEP Clients conntect over a mapped network drive to that CIFS shares. On the "Netapp" filer no antivirus product scans the data in realtime. Therefore on all Clients network scan is activated. 

Our previous scan software was not able to scan the data on that mapped network folders in realtime (auto protect). That's why several hundred Excel documents are infected with a old macro virus "X97M.Laroux.gen".

I created some manual scans on a SEP 12.1 client with network scan activated as a user with admin rights on the specified network folders. The actions in the scan options are set to "clean risk/ quarantine risk".The scan detects all of the infected files but is not able to clean the files directly. The result is "log only", "the file was left unchanged".

When I navigate to that folder in "Windows Explorer" on the same client with the same user "Auto Protect" detects also the infected file and is able to clean it.

Why Auto Protect is able to clean the files but a manual scan isn't?

Comments 7 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

Nice Question.

Auto-Protect--   Scans whenever a file is accessed or modified in memory Real Time.

Auto-Protect is the first line of defense against threats by providing real-time protection for your computer. Whenever you access, copy, save, move, open or close a file, Auto-Protect scans the file to ensure that a threat has not attached itself. By default, it loads when you start your computer to guard against threats and security risks. It also monitors your computer for any activity that might indicate the presence of a threat or security risk. Auto-Protect can determine a file's type even when a threat changes the file's extension.

Note: Auto-Protect does not function on Linux platforms, you must run a manual scan on those machines to detect threats.

Example: A threat changes a file's extension to one that is different from what you configured Auto-Protect to scan. When a threat, threat-like activity (an event that could be the work of a threat), or a security risk is detected, Auto-Protect alerts and takes the necessary steps to either clean, quarantine, delete or leave alone (log only) the detection of a threat depending upon the Actions configured for each detection type.

 

Full Scan-- It wIll scan each file by starting with A to Z its not real time..Its manual or scheduled.

A Full system scan are the antivirus and antispyware scans that detect known viruses and security risks. For the most complete protection, you should schedule occasional scans for your client computers. Unlike Auto-Protect, which scans files and email as they are read to and from the computer, A Full system scans detect viruses and security risks. 

A Full system scan detect viruses and security risks by examining all files and processes (or a subset of files and processes). A Full system scan can also scan memory and load points.

A Full system scan does these...

  1. Scans the system memory and all the common virus and security risk locations. 

  2. Scans the entire computer for viruses and security risks, including the boot sector and system memory.

Check this Articles:

Explanation of Action field values in Symantec Endpoint Protection 11 and Symantec AntiVirus 10.1
 
 
What Does "Risk was partially removed" Mean?
 
 
Best Practices for responding to "Left Alone" in the virus or threat history log
 

 

 
Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SOLUTION
ChrisMatt's picture

Hi Mithun,

A manual scan with the same options is able to remove the virus if the network drive is not mapped to a DFS (distributed file system) share.

Example:
Created a custom scan, that scans the folder g:\share1 while g:\ is mapped to the dfs share "company-intra.net\dfs\group". Result: The scan is not able to remove the virus from the infected files (Left alone)

Created a similar custom scan, that scans the folder g:\share while g:\ is mapped to the absolute share on the netapp storage \\filer1.company-intra.net\group01$. Result: The scan is able to remote the virus.

Is there any known issue with scanning DFS Shares?

peter ashley's picture

Please open a support ticket.  Ask for instructions on enabling debug logging and then run the two cases again with client debug logging on and submit that to support for analysis.  Thanks.

Mithun Sanghavi's picture

Hello,

I don't think there is a known issue with scanning DFS shares.

Questions:

Are you creating the Custom scan and Manual Scan from the SEP client directly?

Again, could you check the Scan Actions to be taken, when setting up the Custom scan?

Again, Does Accessing to the DFS requires permissions to delete the files or Accessing these files??

 

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

ChrisMatt's picture

In between I set up a new SEP Client with 12.1 RU1 and made several tests using manual scans.

  • I doublechecked the scan actions. They're set to clean/quarantine.
  • I doublechecked the Permissions accessing to the DFS. As an Administrator I have all necessary rights to delete, create or modify the files. I'm also able to delete or change the files using the windows explorer.

When mapping a drive to the absolute path instead using the DFS share, the manual scan with the same settings and under the same user is able to clean the files.

As suggested I opened a support ticket.

Mithun Sanghavi's picture

Hello,

If you have opened a Case; could you please PM me with your Case number??

Thank you in Advance.

 

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.