SEPM 11.0.5002.333 showing still infected clients
I've tried several of the fixes that many have posted here (other than reinstalling the client) and nothing works. I'm sorry but having to reinstall a client every time a virus is found is unacceptable. I upgraded the manger and infected clients to 11.0.5002.333 yesterday, the supposed fix according to some hasn't helped.
I tried the Symantec "How to clear an erroneous "Still Infected" status from Reports in the Symantec Endpoint Protection Manager" fix . Clearing the in Monitors, Logs, Log Type - Computer Status, Time Range - Past three months, View Log, turns up nothing.
I checked the infected clients and the virus is no longer there.
If I check the Monitors, Logs with a Log Type - Risk, Time Range - Past three months, View Log, it does bring up a list of infected clients.
The "Still Infected" (there are 3 of them) are the only ones with Virus Found (Left Alone), Virus Found (Quarantined), and Virus Found (Partially repaired). There are several other infected clients in this list but they are Virus Found (Cleaned by deleted), and Virus Found(Quarantined) and they do not show up in the "Still Infected" list.
Like I said before when I checked these infected clients the infected files are no longer there.
If anyone has any insight I would love to hear it.
Comments
Is it "Action Summary by
Is it "Action Summary by Detection Count" or "Action Summary by Number of Computers"? Maybe to refresh the graph, change it to the the opposite of what it is (Preferences link right above "More Details" which is right above the Action Summary pane you are looking at), and see if it clears out the erroneous numbers now that you have verified that the Infected status is cleared from the machines. If instead of viewing the Computer Status report for all machines over a time period, what happens if you select if for the last week and specify the computer that is generating the 'Still Infected' flag? Does it show clean?
_________________________________________________________________
Please remember to mark the thread 'SOLVED' with the answer that most helped you by choosing 'Mark As Solution' on the applicable answer
Also under that same
Also under that same Preferences screen, make sure Auto-refresh rate IS NOT set to NEVER and more like 15 minutes.
_________________________________________________________________
Please remember to mark the thread 'SOLVED' with the answer that most helped you by choosing 'Mark As Solution' on the applicable answer
The preferences were set to
The preferences were set to ".Action Summary by Detection Count". I changed it to "Action Summary by Number of Computers". Nothing changes though. The Auto refresh-rate has been set to 15 minutes.
Specifying Computer Status shows nothing no matter what I specify.
I also did try specifying the computer name with a risk log type and it does show results. For example this log below is one of the computers showing still infected. As you can see it does show as being cleaned.
11/20/2009 17:04:21 Virus Found (Partialy repaired) and at
11/20/2009 17:04:35 Virus found (Clean by deletion)
By the way I'm also a Mets fan.
Hi
I think the virus is still active on the endpoint, the left alone part is important
Explanation of Action field values in Symantec
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2006112010562148
Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq
Thanks for the responses. I
Thanks for the responses.
I have went to the clients and physically checked the locations the infected files were supposed to be located and they are not there. I even removed the folder thay were supposed to be inside and rescanned all the machines and nothing reappears. Also the "Left Alone" incident was on my computer. I was testing the notification setup and I inserted an eicar.zip test virus file to make sure the e-mail notification was working. SEP DID remove the unzipped eicar file but left the eicar.zip file alone. After the test was done I deleted the eicar.zip file. And my system is still showing an infection by the eicar.zip file.
Hi, You can go to the
Hi,
You can go to the complaince options in the Monitors->logs->advanced properties, and check the box for "Infected Only". Then you can choose the time range as past year.
When you see the logs, you can click on the drop down menu for "Selected" and choose all. After that you can clean the infeted status for all the machines in 1 click.
I've tried the compliance
I've tried the compliance options "Infected Only", I assuming you mean to have the Log type - Computer Status set? I've tried a lot of different setting changes and I get nothing back when computer status is set. If I change the log type to Risk I do get a list of infected clients. And when I try to take action of delete from quarantine, the infected status still shows on the SEPM Home Page.
Thanks for the response but nevermind. I just re-installed the client on the 3 affected clients to clear this problem. This is ridiculous if this has to be done every time.
Fond a solution on our system
I had a similar issue.
This is what I did.
Go to Monitor/Log/Computer Status
Click the link "Compliance options" one of two options after "What filter setting would you like to use?)
Tick "Infected only"
Click view log
Select the computers (ctrl or shift click) and click "clear infected status.
Go back to Home and click refresh in the very top right corner (next to about, help log off).
It is odd that it is hidden under logs. It would like to see this function to be under a new tab between summary and logs...
Computer status != logs ;)
/Martin
Thanks mforest that did the
Thanks mforest that did the trick.
So mark mforest as SOLUTION
So mark mforest as SOLUTION
Regards'
Ajit Jha
Technical Consultant
STS
New Trick
Very Helpful, Thanks mforest!!!
Matt Barber
Advanced Client Services Engineer
TN User Group Marketing Director
Would you like to reply?
Login or Register to post your comment.