Endpoint Protection

Dear Symantec support

May I have your assistance to confirm below questions?

In our SEPM server, we created "Notification Single risk event" and "Risk Outbreak" with criteria "1 computers with virus definitions older than 7 days", and the notification will be send to administrators.

Case 1: In auto protection policy,risk detection action: 1st Cleaned , 2nd Leave Alone (Log only)

                1). --> When a (single or above)threat/risk is cleaned, obsolutionly that notification will be triggered and we can receive the notification email,right?

                2). --> When a (single or above) threat/risk is unable to be cleaned, we will receive the notification email AND the infected file is still there ?

                According to your KB, if it's a Trojan, it would be deleted cuz cleaned by deletion. But how about other suspected risk ?

                ***We want to know all possible cases that suspected risk file will be "cleaned by deletion" if Symantec cannot "Clean" it. Our concern is ,if the affected file, or suspected file is system file, we don’t what it to be “cleaned by deletion”.

 Case 2: If risk detection action is: 1st Leave Alone (Log only)

                 When a (single or above) threat/risk is found, we will receive the notification email and the infected file is still there ?

You will be sent the alert for the risk regardless of what the action is (cleaned, unable to be cleaned, log only, etc.)

I'm not sure you can give an exact number on cases. If the file can simply be cleaned (malicious code removed) than great, but if it can't than it would be deleted.

Yes, you would receive notification even on Log Only.

Basically, any time a risk is detected, regardless of the action, if you have the alert configured, you will receive it.

We want to know how to configure risk detection action which can clean virus, if symantec cannot clean, then leave only or quarantine only, not to do clean by deletion action anytime. but according to our test, if we set to first action clean, second action log only, there will be result "clean by deletion". We don't want any suspected infected files will be deleted.

Cleaned by Deletion - Specifies the events where the action configured was Clean, but a file was deleted because that was the only way it can be cleaned. For example, this action is generally needed for Trojan horse programs. http://www.symantec.com/business/support/index?page=content&id=TECH102052

Hello,

Case 1: In auto protection policy,risk detection action: 1st Cleaned , 2nd Leave Alone (Log only)

                1). --> When a (single or above)threat/risk is cleaned, obsolutionly that notification will be triggered and we can receive the notification email,right?

Yes, you would receive a Notification email in this case.

                2). --> When a (single or above) threat/risk is unable to be cleaned, we will receive the notification email AND the infected file is still there ?

Yes, you would receive a Notification email in this case and the file would be quarantined.

                According to your KB, if it's a Trojan, it would be deleted cuz cleaned by deletion. But how about other suspected risk ?

For other type of suspected risk, it could be log only, quarantined or cleaned by deletion.

                ***We want to know all possible cases that suspected risk file will be "cleaned by deletion" if Symantec cannot "Clean" it. Our concern is ,if the affected file, or suspected file is system file, we don’t what it to be “cleaned by deletion”.

Cleaned by Deletion - Specifies the events where the action configured was Clean, but a file was deleted because that was the only way it can be cleaned. For example, this action is generally needed for Trojan horse programs.

"Cleaning" only works when an otherwise good file is infected with malicious code; the malicious code is removed and the original file is restored (in most circumstances). If a threat is nothing butmalicious code, there is nothing to clean, so instead, it is deleted.

 Case 2: If risk detection action is: 1st Leave Alone (Log only)

                 When a (single or above) threat/risk is found, we will receive the notification email and the infected file is still there ?

By default, Symantec Endpoint Protection tries to clean a file that a virus infected. If Symantec Endpoint Protection cannot clean a file, it performs the following actions:

If you set the action to log only, by default if users create or save infected files, Symantec Endpoint Protection deletes them.

On Windows computers, you can also configure remediation actions for administrator scans, on-demand scans, and Auto-Protect scans of the file system.

You can lock actions so that users cannot change the action on the client computers that use this policy.

NOTE: For security risks, use the Delete action with caution. In some cases, deleting security risks causes applications to lose functionality. If you configure the client to delete the files that security risks affect, it cannot restore the files.

To back up the files that security risks affect, use the Quarantine action instead.

 

Quarantine is a special storage area that holds objects potentially infected with viruses.

Potentially infected objects are objects that are suspected of being infected by viruses or modifications of them.

Objects stored in Quarantine do not represent a threat to your computer. 

Check these Articles:

Changing the action that Symantec Endpoint Protection takes when it makes a detection

http://www.symantec.com/docs/HOWTO55248

Managing the Quarantine:

http://www.symantec.com/docs/HOWTO55236

Restoring a false positive file detection from the Symantec Endpoint Protection quarantine:

http://www.symantec.com/docs/TECH150607

Explanation of Action field values in Symantec Endpoint Protection 12.1 and 11, and Symantec AntiVirus 10.1

http://www.symantec.com/docs/TECH102052

Hope that helps!!