Endpoint Protection

I work as a Desktop Administrator, in a large healthcare environment.  We use SEP on all clients, and SEE on selected clients.  One of my duties is to monitor the SEP logs, under Risk, Network Threat, and SONAR.  If a client shows up, even if the offending file has been quarantined, I'm told we still need to rescan that device and log a ticket for it.  This is obviously a very time consuming and tedious task, that I see as completly pointless.

If SEP has quarantined a file, or blocked an attack, wouldn't that indicate the client is safe, and that the SEP system is working?

Does it make sense to rescan a machine, with distrust for the product itself, or should we be ok with SEP doing it's job, and not thinking that SEP reported an attack, but still let something though that could be harmful?

Any opinions? 

Thanks,

R77

It will be re-scanned only when new defs arrive. This is because the new defs may be able to repair the quarantined file and restore it.

Lets say that there was wordfile which was infected. SEP at that time will not be able to clean the file and will then quarantine it to avoid further infection. Symantec would release new defs which would take care of this issue. When new defs arrive and scan it, it will clean it and put back where it was. 

Thats why sometimes scanning the quarantine is important.

We're not rescanning the quarantined files, just the client machine.  Once a violation is picked up, the file is moved to our quarantine server, and never restored unless we manually go in and allow the file.  Most of the hits are adware, malware, or phony flash players, pdf readers, etc...  Unfortunatly, there are practically zero controls from users just surfing to wherever, and downloading whatever.

That is for Risk violations, in which there is an actual file to be dealt with.

We also scan machines for Network Threats, in which SEP reports the attack was blocked, which is another thing I wonder, why are we scanning a machine that successfully blocked the attack, and also used Active Respose to block traffic to and from the offending IP?

If SEP picks up an infected file and moves it to quarantine, that file is than blocked from the rest of the system. Nothing will be able to access it. So in this regard, it should be safe.

Best practice says that you should scan the system again with latest defs in safe mode. It really depends on what you're policy calls for though.

A file might be quarantined by full scan or by Autoprotect. Since autoprotect will not scan all the files like Full scan does. as a precautionary measure I think they just want to make sure that the system is clean.

You are right, AFAIK even I have not restored anything from Quarantine so far ( Apart from False positives)

SEP might block an attack ( outgoing) but there might be a worm residing which will do the same sort of job for another machine in the network. a infected machine might randomnly pick up any machine in the network from my network places and starts all sort of unwanted traffic.

when you find a system is infected from AP/ full scan/ NTP a full scan assures a relief.

We use a custom scan, not a full scan.  I'mnot sure what is custom about it though.  I know that LU is disabled for users, as new defs are pushed from our server.  I think that is once a day. 

So I get a machine with say, Adware.DomainQ violation.  It shows in our Risk logs, as a new violation.  We are scanning right away.  Not once, have I ever seen a scan result come back as infected still.  They always just say scan completed, no new violations popping up.

I'm the low guy here, so I'm not really in a position to force any changes...but I was curious to see why we are doing this..  I guess I'll just live with it.

Thank you both for your responses.  I will mark as a split solution.

If you have access to the SEPM, you should be able to have a peek at the custom scan.

And generally, if SEP deletes, cleans, or quarantines the file, no further action is usually needed. But it is always good to scan again to confirm (best practice). Some companies lack in resources so they may just live with what SEPs initial action was.

Custom scan is what you define. if you feel that you should run a scan on next sunday, you can go ahead and create one in SEPM.

few things are "Process defined" we need to follow as per the client requirement. :) 

Hello,

As stated above, when a SEP quarantine files by default policy it scans those files to repair those files.

If the new definitions include repairs for quarantined files, Symantec Endpoint Protection repairs the files. The client also restores the files to their previous location without notifying the user.

Automatically repair and restore files in Quarantine silently is the default policy.

1. Login SEPM,
2. Click on Policies
3. Go into the Virus and Spyware  Protection Policy
4. Select Quarantine
5. For the setting When New Virus Definitions Arrive select to Automatically repair and restore files in Quarantine silently.

However, lot of administrators disable the policy by changing it to "Do Nothing".

In such cases, it becomes important to scan the machines with the Latest Rapid Release Definitions which may assist them to repair those files.

The following articles contain a lot of good advice:

Best practices for troubleshooting viruses on a network

http://www.symantec.com/docs/TECH122466

Symantec Endpoint Protection – Best Practices: Stopping Malware and other Threats.

http://www.symantec.com/theme.jsp?themeid=stopping_malware

Hope that helps!!

Before, I have the same issue on 11 RU6.

Quarantined files are still being scanned even if I have turned off the feature where SEP re-scans them after receiving new definitions.

They are usually detected every scheduled scan daily @ 12NN, usually on the SRSTP folder.

After upgrading into 12.1.4 RU4, I have changed the policies from Clean/Quarantine to Clean/Delete.

I don't know if I will re-enable Quarantine again to confirm if the previous problem was corrected already in the current version.