Endpoint Protection

Hi all,

 

I am confused about how SAV really works.

 

If I have updated definition, then I inserted my USb and launch .exe file(w/ virus), then the SAV detected it as risk or file quarantined.

 

Does this mean that the definition cannot stop the virus? becuase when I search the virus name, it says to manually remove the strings, values in the registry/system, and after checking my registry its confirmed that it was modified by the virus, meaning the virus modified my registry so I am infected? I dont understand because it says virus it quarantine but my registry is modified.

 

What I did i get an updated definition but still the same, the virus is not a zero day type.

 

how would I know that my SAV is working, it is because its detecting a treat or detecting and stopping a threat without any modification in my system?

 

If a virus is detected and its quarantine, it still means that the definition needs to be updated?

 

I hope anybody can help me clarify my understanding.

If I have updated definition, then I inserted my USb and launch .exe file(w/ virus), then the SAV detected it as risk or file quarantined.



Does this mean that the definition cannot stop the virus? becuase when I search the virus name, it says to manually remove the strings, values in the registry/system, and after checking my registry its confirmed that it was modified by the virus, meaning the virus modified my registry so I am infected? I dont understand because it says virus it quarantine but my registry is modified.

If you look on symantec site and see the how to remove the virus page, this is only if your machine has been infected. If you run a file from a usb pen and it says that is has put the file in quarantine, then should the file have been removed from the drive and put into the quarantine folder on the client.


how would I know that my SAV is working, it is because its detecting a treat or detecting and stopping a threat without any modification in my system?

Yes, if Sav detects the file, there should not have been any modification done to the system. What sav does with the file, depends on your settings. (delete, log, quarantine,repair)


If a virus is detected and its quarantine, it still means that the definition needs to be updated?
No, if the virus is put into quaratine, then the defintiions is working fine.

As a best practice, you should also disable autorun. So that if you insert a usb on the computer the virus will not automatically run.

If SAV is doing its job. Even with autorun enabled. It should not allow a virus, especially one that's already in the definitions, to even load.

Well that depends on the definition, I'm sure it will block the program from running. That's why I told its a best practice to disable autorun.

I must agree with Paul, it is importen to disable autorun, we have in the past had some trouble with autorun on a network share. So we have disabled everything.

The best practise is to disable autorun thru GPO.

The files in Quarantine will there because depends on below options
     as per the no of days set in the quarantine options and 
  "Automatically repair and restore silently"  configured in "when new virus definitions arrive"

If require you can decrease the no of days to be kept in quarantine options.

Disabling autorun is already agreed upon in another thread.
We can include autorun in the files to watch for or avoid running. But you cannot stop all the users from not doing that.