Endpoint Protection

I've recently been thrown to wolves.. I mean thrown into a support role for Endpoint. 

When Symantec runs, finds a virus and acts on it then reports the work station cleaned - It is safe to assume that the virus is gone off the machine?
no further intervention on my part? Correct?

When it quarantines it is the machine still "infected"?
do I need to get on the workstation and run the recommended tool or follow the manual directions?

When it logs it  is the machine still infected?
do I need to get on the workstation an run the recommended tool or follow the manual directions?

When Symantec cleans a virus - is it running the recommended cleaning tools or is it dealing with it in another way?

Thank you..

New Virus Hunter....

Is your system infected try this tool

https://www-secure.symantec.com/connect/forums/your-system-infected-symantec-tools-help-clear-infection

If the machine does not have Internet access and you want to scan it, you would need anyway to download latest definition if you want the scan to be effective (http://www.symantec.com/docs/TECH131732).

Another technology exists, called PowerEraser (http://www.symantec.com/theme.jsp?themeid=spe-user-guide) to consider more like a generic removal tool, but it also requires Internet access to communicate with Symantec reputation servers.

Edit.

How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions

 http://www.symantec.com/business/support/index?pag...

 Video - https://www-secure.symantec.com/connect/videos/sym...

 Note :If issue is resolved then please mark this thread as a solved.

Hello,

Since there are lot of questions, I would try my level best to explain by providing answers to your Questions... We are here to Assist you always..

When Symantec runs, finds a virus and acts on it then reports the work station cleaned - It is safe to assume that the virus is gone off the machine? no further intervention on my part? Correct?

At this time, you as an SEP Administrator, would have to check what is the Action taken by Symantec on the file detection, check these Articles:

Explanation of Action field values in Symantec Endpoint Protection 11 and Symantec AntiVirus 10.1

http://www.symantec.com/docs/TECH102052

What Does "Risk was partially removed" Mean? http://www.symantec.com/docs/TECH94475

Best Practices for responding to "Left Alone" in the virus or threat history log

http://www.symantec.com/docs/TECH101661

Changing the action that Symantec Endpoint Protection takes when it makes a detection

http://www.symantec.com/docs/HOWTO55248

===================================

When it quarantines it is the machine still "infected"? do I need to get on the workstation and run the recommended tool or follow the manual directions?

Quarantine is a special storage area that holds objects potentially infected with viruses. Potentially infected objects are objects that are suspected of being infected by viruses or modifications of them. Objects stored in Quarantine do not represent a threat to your computer.

When a File is stored in Quarantine, Symantec scans those Quarantine files with the Latest definitions which in turn may clean these files.

========================================

When it logs it is the machine still infected? do I need to get on the workstation an run the recommended tool or follow the manual directions?

Correct. It is recommended that you check the client machine.

Secondly, if you see the SEPM version 11.x reporting machines with Still infected status, then this is due to database entries marked for deletion, but included in query that calculates "Still Infected" count. The database is not purged automatically so we have to clear it manually.

Check this Article: 

How to clear the "Still Infected" status from Reports in the Symantec Endpoint Protection Manager version 11.x http://www.symantec.com/docs/TECH102954

==================================

When Symantec cleans a virus - is it running the recommended cleaning tools or is it dealing with it in another way?

Symantec cleans the Virus files when the Latest definitions are uploaded on the SEP client machines, and your machine is being scanned.

Atlast, I would recommend you to check these Articles below, which would assist you in your new Role as SEP Administrator - 

Security Response recommendations for Symantec Endpoint Protection settings

http://www.symantec.com/docs/TECH122943

Symantec Endpoint Protection – Best Practices: Stopping Malware and other threats

http://www.symantec.com/theme.jsp?themeid=stopping_malware

Security Best Practice Recommendations http://www.symantec.com/docs/TECH91705 

Best practices for responding to active threats on a network

http://www.symantec.com/docs/TECH122466

Hope that helps!!

Hi New Virus Hunter,

"Thumbs up" to the advice above.  And do not be afraid to ask any Newbie questions- there are tons of helpful forum members here who all started out as noobs.  &: )

Just giving a quick recommendation: with malware, an ounce of prevention is worth thousands of dollars worth of cure.  Definitelty research any reports of viral activity in your network and ensure that all detections have a successful result of cleaned, deleted, quarantined, etc.  Then, do determine where the attempted infection came from and secure that avenue.

Here are some very good preventative best practices from Security Response: do spend time ensuring that they are being followed in your organization.

http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0

Hope this helps!  And welcome to the wolfpack.  &: ) 

hello & welcome onboard,

here some interesting reading about IR

http://journeyintoir.blogspot.com/2012/08/man-versus-antivirus-scanner.html

and i kinda agreed on the adviced stated above... we should consider to get IT Sec training(s)