Using symantec endpoint protecttion manager 12.1.6 Ru6 Mp1a . Sql database .While pulling a risk log daily status reports i found the still infected count is like 507. checked with clients no infections. Still infected not found on any other logs or reports ( computer status , risk log in client side ). I have truncated logs and also changed Risk log settings to 1 day and found no changes. It appeaes only when pulling daily status report. Found some tmp /err files in agent info folder, i have even cleared that and ran the MSCW, still the same result. Any other possible sollutions ?

Kick off a full scan on those problem clients. If it comes back, SEPM should automatically take care of and lower/remove that count.

Thanks for the response. I didn't know that, lemme try , but what is the logic ? The counts depends on the reporting part rite ?

Basically, yes.

they way SEPM handles Still infected has been changed in SEPM 12.1 for enhanced security. for more details please have a look at the below article.

Cannot Delete the "Still Infected" Value From the Symantec Endpoint Protection Manager 12.1 Console

 

So basically you need to run another scan in the same location as that of the detection, but be sure to remove the infected files prior to the scan. in case the infection detected in a external drive please plug a clean external drive and then perform the scan so that the client reports back to sepm that it is free from infection which will in turn bring the still infected count to 0

but it was like 507 computers, do you think its possible to plug a clean usb drive on all ? :( .Well i can perform a scan again and am pretty sure that there are no risks found on any of the computers that are in the still infected count.

we that no is too high, so i suggest you to make a note of some 4 to 5 machines and  perform a full scan on those machine and see if those machines gets removed from the still infected count. If yes, then you have the solution, so wait until your next full scheduled scan to kick in. If No, then please go ahead and raise a ticket with symantec support as we are pretty much out of troubleshooting steps here.

Alright , Sounds like a solution. Will try and post May be on monday.

sure, let us know if any additional help is required.

These could probably be the left anone infection that couldn't be deleted from an infected CD/DVD that was accessed on these computers. In such cases, the "Infected" flag is stored in the clients's database file on the client computer (not SEPM database). This type of "Infected" flag can be cleared only by inserting a clean media in to the same drive (on which the risk was reported as left alone) and performing a full scan on the clean media.

Note: 507 still infected count not necessarily mean 507 machines. It is possible that many of them are from same computer. So, I would suggest finding out the total number of computers first. you can easily get the still infected list by clicking on the "Still Infected" count under "Virus and Risks Activity Summary" on the Home page of SEPM.

If the number of computers is too many to work manually, please let me know, so that I can give you an alternate workaround.

As suggested by Mr Praveen Ayyapan , lets say if am taking one machine and inserting a clean device and performing a manuall scan again. Now, pulling the daily status report shows the same result as 507 still infected ! What could be the sollution ? Btw, total number of clients in the environment are 1000+. Am pretty sure that i ll get exhausted if am gonna do that for all the still infected machines :(

Then the SEPM is not properly decrementing this number. Since you're on the latest version, it could be a bug.

Depending on the results of your research, I would suggest calling support for further guidance if it does meet your expectation.

ismail, just let us know of your findings we will guide you to your next step.

Sure, first lemme try performing a full scan while inserting a clean device and if nothing works, ll raise a ticket.

Cool, Thanks for the support :)