Endpoint Protection

Hello,

I'm extremely frustrated. I've just spent all day and most of the night attempting to remove the trojan.malscript!html and trojan.fakeavalert infections from one workstation using Symantec's Multi-tier Protection Small Business Edition, with no success yet.

I'm two weeks into a four week evaluation period and this is the first real snag. Although I'm new at this product, I thought it should be easy to remove these, supposedly simple to remove, infections. (NOTE: I don't understand how I am to effectively evaluate this product with no support from the manufacturer!)

Based on my years of successful use of Norton's consumer products, both personally and for many clients, two weeks ago I installed Symantec Multi-tier Protection Small Business Edition on a client's small network (Microsoft's Small Business Server 2003 R2 - 1 server, 4 workstations). They had been running Norton's Internet Security on each workstation, with no protection on the server. I convinced them to use a server based product mainly so that the server could be protected for not much more annual cost than protecting just the workstation. Central management of the workstations was just a bonus. I hope I don't regret my recommendation.

I have had no problems installing the product, both the server side and workstation side. Although slow, the management console and "push" installation worked as expected.

However, today one of the workstations was infected with the two viruses / spyware indicated above. Well, ok, that happens. So using RAS, I logged onto the workstation and manually started a scan. It found the two infections, reported trojan.malscript!html as quarantined and trojan.fakeavalert as needing to have the process or service stopped. (See attached screen shot.) I found what I believed to be the process and stopped it. After the scan completed, I clicked the "remove risks now" button, OK'd the subsequent message that the Endpoint product would need to end some processes / services and let the removal processes finish. Then, as instructed by the program, I rebooted the workstation. Then after it started again, it asked me to reboot the workstation again. The infections appeared to be gone - for a few minutes. Then they came back.

I've done this a couple of times, doing some sleuthing in between, with no luck.

So I need help in two area.

1.) The scans appear to be scanning Symantec's quarantined items, finding the infections in the quarantine files and listing them as a new infection, round and round it goes!. I assumed that the default installation / policies would have excluded the quarantine directories from being rescanned. Apparently not - and I can't find where to change the policies to do so. So please tell me where / how to do this.

2.) How do I get the product to remove the infections! I suspect that if I were to purchase and install a consumer tool such as PC SpyWare Doctor that it would remove the infection. So why can't I get this high end product to do so? Please tell me how.

Thanks,

Tom Sawyer
 

Hi Tom,

 What's the locations were Symantec detect the spyware,

If it is a storage drive please check the permission.

If it is a local drive so u can start full scan in safe mode,

If symantec detect as a virus or spyware so definately it will also cleaned or delete.

I also have faced similar problem many times with client security 3.1 product when it asks to reboot the system again and again for the same threat at same location. safe mode scanning does help some times but not allways.

       But in Endpoint Protection I have never faced this problem.You can try  safe mode scanning and also can manualy delete the infected file with some registry editing.

see for the infection location for the perticular threat in symantecs website. and do a manual removal.

Please check you Symantec if any Microsoft Patches is missing.