Video Screencast Help

SEPM Dashboard question

Created: 01 Apr 2013 | 7 comments
D@ry1's picture

Hey guys,

I've been looking around the dashboard, and I can't find the purpose of the Inforamtion named as "Disabled" under Total Endpoints* what is it for?
also the other one under Virus and Risk Activity Summary names as "Still Infected" and how can we cure the Still Infected on the dashboard?

Thanks,

Operating Systems:

Comments 7 CommentsJump to latest comment

W007's picture

Disabled Means :

It means any one of the protection technologies is disabled or malfunctioning. Could be AV, PTP, NTP, Download Protection, or tamper protection. You need to click on the disabled link above in the screenshot to get further info as to what it may be.

 

Edited

The still infected means that the computer has still potential riskful file(s) on it. For instance an infected or badware is detected on that computer and the file is quarantined. There for the computer is still infected but it is not harmed.

The Still Infected count shows the total number of risks that a scan would continue to classify as infected, also within the configured time interval. For example, computer may still be infected because Symantec Endpoint Protection can only partially remove the risk. After you investigate the risk, you can clear the Still Infected count from the Computer Status log.

 

How to clear the "Still Infected" status from Reports in the Symantec Endpoint Protection Manager

 

Article:TECH102954  |  Created: 2007-01-19  |  Updated: 2013-03-13  |  Article URL http://www.symantec.com/docs/TECH102954

 

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

D@ry1's picture

Hi,

 

I get it now but we have scheduled scan every night, and based on the "Still infected" it was found through Scheduled scan and active scan, does that mean SEP can only detect it and not remove?

 

Thanks,

W007's picture

hello,

Just read one this comments

 Mithun Sanghavi

 Hello,

The Newly Infected count shows the number of risks that have infected computers during the selected time interval only. Newly Infected is a subset of Still Infected. The Still Infected count shows the total number of risks that a scan would continue to classify as infected, also within the configured time interval. For example, computer may still be infected because Symantec Endpoint Protection can only partially remove the risk. After you investigate the risk, you can clear the Still Infected count from the Computer Status log.

Both the Newly Infected count and the Still Infected count show the risks that require you to take some further action to clean. In most cases, you can take this action from the console and do not have to go to the computer.

Note: A computer is counted as part of the Newly Infected count if the detection event that occurred during the time range of the Home page. For example, if an unremediated risk affected a computer within the past 24 hours, the Newly Infected count goes up on the Home page. The risk can be unremediated because of a partial remediation or because the security policy for that risk is set to Log Only.

You can configure a database sweep to remove or retain the detection events that resulted in unremediated risks. If the sweep is configured to remove the unremediated risk events, then the Home page count for Still Infected no longer contains those events. Those events age out and are dropped from the database. This disappearance does not mean that the computers have been remediated.

No time limit applies to Still infected entries. After you clean the risks, you can change the infected status for the computer. Change the status in the Computer Status log by clicking the icon for that computer in the Infected column.

Note: The Newly Infected count does not decrement when a computer's infection status is cleared in the Computer Status log; the Still Infected count does decrement.
 
You can determine the total number of events that have occurred in the last time period configured to show on the Home page. To determine total number, add the counts from all rows in the Action Summary except for Still Infected.

 

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

pete_4u2002's picture

Disabled : any one of the SEP component is disabled or malfunctioning,

Still infected: to clear this status in SEP 12.1 the client needs ot be scanned and should report not infected to SEPM .

Rafeeq's picture

Disabled: You might have given users access to disable some of the sep components or SEP altogether.

thats why it warns you. if you dont want to give access, you can lock those options in SEPM policy and it wont complain about that

still infected: various reasons why it was not able to clean the virus. so whenever you find still infected you need to examine those machines manually.

 

Chetan Savade's picture

Hi,

Still infected count can be clear manually in SEP 11.x with the help of following article 

How to clear the "Still Infected" status from Reports in the Symantec Endpoint Protection Manager

http://www.symantec.com/docs/TECH102954

In SEP 12.1 this option is no more exist, SEPM console should update this status automatically.

If status remains same then need to examine those machines manually.

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Mithun Sanghavi's picture

Hello,

If the Home page of the Symantec Endpoint Protection Manager (SEPM), in the Endpoint Status section (Middle Left), the Disable (Orange) status shows several Symantec Endpoint Protection (SEP) clients as disabled. 

Disabled.JPG

The SEP Clients will show up in this section if any of the following are in a disabled state:

  • Auto-Protect Status
  • Firewall Status
  • Sonar Status
  • Download Insight Status
  • Network Intrusion Prevention Status
  • Browser Intrusion Prevention IE Status
  • Browser Intrusion Prevention Firefox Status
  • Tamper Protection Status

 

Secondly, Still Infected: 

Still Infected..JPG

The Still Infected count shows the total number of risks that a scan would continue to classify as infected, also within the configured time interval. For example, computer may still be infected because Symantec Endpoint Protection can only partially remove the risk. After you investigate the risk, you can clear the Still Infected count from the Computer Status log.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.