Endpoint Protection

 View Only

  • 1.  Still Infected

    Posted Jan 13, 2011 12:16 AM
      |   view attached

    Hi there:

    On my Symantec Endpoint Protection Client, when I open last scan log. Symantec slow different behivour againt same virus. On some places it clean infection successfuly, and on some place it show still infected.

    Kindly find attached log also, and guide me.

    Best regards

    Ishaq



  • 2.  RE: Still Infected

    Broadcom Employee
    Posted Jan 13, 2011 12:26 AM

    it looks like the threat is detcted but is unable to clean. scan this system in safe boot with the latest definition.

    also submit the file to Symantec team for further analysis.



  • 3.  RE: Still Infected

    Posted Jan 13, 2011 12:35 AM

    scan in sale mode/virus def updated...

    Scan in safe mode is not a solution because number of PCs have this issue. secondly virus definitions are upto dated on client machines. I also submit these file to submit.symantec.com. As per symantec response Symantec can clean these file.

    Regards

    Ishaq



  • 4.  RE: Still Infected

    Broadcom Employee
    Posted Jan 13, 2011 12:58 AM

    check on one machine by scanning in safe mode.



  • 5.  RE: Still Infected

    Posted Jan 13, 2011 01:31 AM

    Have you performed a FULL scan with the latest definitions. If the virus is changing its code or if its a different variant with the same name, you may have to submit the files again to the Symantec Security Response team. This time when you submit the files let me know the tracking number.



  • 6.  RE: Still Infected

    Posted Jan 13, 2011 04:49 AM

    Hi Ishaq,

     

    Check the logs in detail (or examine the Windows Application Event Log entries).  What action does SEP report was taken?  I suspect that you will see "Partially Removed" or similar for some of those threats.

     

    This KB has more information: What Does "Risk was partially removed" Mean? (http://www.symantec.com/docs/TECH94475)

     

    A full system scan in safe mode will, under most circumstances, completely remove threats that were "partially removed" earlier. Be sure to check the risk log after the scan has been run for confirmation.
     

    Hope this helps!  Please keep this thread up-to-date with your progress.

     

    Thanks and best regards,

     

    Mick



  • 7.  RE: Still Infected

    Posted Jan 13, 2011 05:55 AM

    Delete all temparory internet files , %temp% and temp files and scan in safe mode with system restore off on all drives. And make sure you have updated latest pattern updated.



  • 8.  RE: Still Infected

    Posted Jan 13, 2011 09:53 PM

    For starters

    Check the startup options:

    Run > msconfig > startup

    Check for suspicious entries, garbled executables, etc.

    It is possible that the one that runs in there is the root malware and the other detections are its payload.



  • 9.  RE: Still Infected

    Posted Jan 14, 2011 03:15 PM

    For insurance that your system is clean, scan with the SERT CD.

    How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions

    http://www.symantec.com/business/support/index?page=content&id=TECH131732&locale=en_US

     

    Good luck,

    Thomas