Video Screencast Help

SEPM 11 infected client status

Created: 13 Nov 2012 • Updated: 13 Nov 2012 | 8 comments
This issue has been solved. See solution.

 

under Monitors>>Logs>>Computer status- last 24 hours i see one infected computer, it seems the only option i have is to scan it again,

after scan i still see the infected status.

does that mean that clean/delete/quarantine options  have not been sucssesful ?

do i need to manually connect to the infected machine and try additional methods?

 

 

Discussion Filed Under:

Comments 8 CommentsJump to latest comment

pete_4u2002's picture

after the scan whether the client has reported to SEPM?

has the scan detected any infection files?

 

jgrab's picture

the scan is updated in log and there is "last status change" a day after the scan, defenitions are updated

the infections are from over a month ago.

Chetan Savade's picture

Hi,

You should manually connect to the infected computers and try with recommended steps

Could you please update what kind of infection is this. Check the risk logs.

Best practices for responding to active threats on a network

http://www.symantec.com/docs/TECH122466

Also download Sep support tool & scan the affected system with power eraser because Symantec Power Eraser is the latest Symantec Recovery tool. The tool is aimed at the detection and clean-up of "zero-day" threats as well as other threats which may have infected the user’s system. Zero-day threats are those that take advantage of a newly discovered hole in a program or operating system before the developers have made a fix available – or before they are even aware that a hole exists.

Power eraser user guide.

http://www.symantec.com/theme.jsp?themeid=spe-user...

Here is the location of the Symantec Endpoint Protection Support Tool:

http://www.symantec.com/business/support/index?pag...

 

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

jgrab's picture

What is the normal behavior of the system?

does the "infected" status  automatically dissapear when the risk is cleaned/deleteed/quaratined(by scan?)?

or do i always need to go through above steps manually?

Chetan Savade's picture

Hi,

It's not always needed to go through manual steps.

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

jgrab's picture

so normally  the "infected" just disappears when the risk is elimintated?

Chetan Savade's picture

Edit#

Hi,

It should wipe out automatically during database purge process if threat is removed.

Following article is applicable only in SEP 11 & SBE

How to clear the "Still Infected" status from Reports in the Symantec Endpoint Protection Manager

http://www.symantec.com/docs/TECH102954

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

SOLUTION
TORB's picture

In SEP 12.1 it will automaticly disappear when a second scan has confirmed that the threat is removed. In SEP 11 you have to manually remove the "Still infected" status after manually confirmed that the risk is gone.

Se the following KB: http://www.symantec.com/business/support/index?pag...

Torb