Hello,
Case 1: In auto protection policy,risk detection action: 1st Cleaned , 2nd Leave Alone (Log only)
1). --> When a (single or above)threat/risk is cleaned, obsolutionly that notification will be triggered and we can receive the notification email,right?
Yes, you would receive a Notification email in this case.
2). --> When a (single or above) threat/risk is unable to be cleaned, we will receive the notification email AND the infected file is still there ?
Yes, you would receive a Notification email in this case and the file would be quarantined.
According to your KB, if it's a Trojan, it would be deleted cuz cleaned by deletion. But how about other suspected risk ?
For other type of suspected risk, it could be log only, quarantined or cleaned by deletion.
***We want to know all possible cases that suspected risk file will be "cleaned by deletion" if Symantec cannot "Clean" it. Our concern is ,if the affected file, or suspected file is system file, we don’t what it to be “cleaned by deletion”.
Cleaned by Deletion - Specifies the events where the action configured was Clean, but a file was deleted because that was the only way it can be cleaned. For example, this action is generally needed for Trojan horse programs.
"Cleaning" only works when an otherwise good file is infected with malicious code; the malicious code is removed and the original file is restored (in most circumstances). If a threat is nothing butmalicious code, there is nothing to clean, so instead, it is deleted.
Case 2: If risk detection action is: 1st Leave Alone (Log only)
When a (single or above) threat/risk is found, we will receive the notification email and the infected file is still there ?
By default, Symantec Endpoint Protection tries to clean a file that a virus infected. If Symantec Endpoint Protection cannot clean a file, it performs the following actions:
By default, Symantec Endpoint Protection moves any files that security risks infect into the Quarantine.
If you set the action to log only, by default if users create or save infected files, Symantec Endpoint Protection deletes them.
On Windows computers, you can also configure remediation actions for administrator scans, on-demand scans, and Auto-Protect scans of the file system.
You can lock actions so that users cannot change the action on the client computers that use this policy.
NOTE: For security risks, use the Delete action with caution. In some cases, deleting security risks causes applications to lose functionality. If you configure the client to delete the files that security risks affect, it cannot restore the files.
To back up the files that security risks affect, use the Quarantine action instead.
Quarantine is a special storage area that holds objects potentially infected with viruses.
Potentially infected objects are objects that are suspected of being infected by viruses or modifications of them.
Objects stored in Quarantine do not represent a threat to your computer.
Check these Articles:
Changing the action that Symantec Endpoint Protection takes when it makes a detection
http://www.symantec.com/docs/HOWTO55248
Managing the Quarantine:
http://www.symantec.com/docs/HOWTO55236
Restoring a false positive file detection from the Symantec Endpoint Protection quarantine:
http://www.symantec.com/docs/TECH150607
Explanation of Action field values in Symantec Endpoint Protection 12.1 and 11, and Symantec AntiVirus 10.1
http://www.symantec.com/docs/TECH102052
Hope that helps!!