Video Screencast Help

Still Infected not changing on Home page of SEPM

Created: 21 May 2013 | 16 comments
louiesulit326's picture

Hi guys,

I was doing a health check on the Symantec Endpoint Protection Manager of one client. I noticed that when I cycled through virus and risks activity summary, the still infected item did not change (365 days, 90 days, etc.)

Here is the screen shot of what I encountered. Look closely on the "Still Infected" item, it is stuck on 21 and 2 (Viruses/Spyware and Risks)

samplev1.png

 

Client came from SEPM version 11 last year and then upgraded to version 12. Is this normal? Or their SEPM version 12 inherited version 11's bug with regard to the display of virus and risks activity summary?

Looking forward to your response guys. More power!

Operating Systems:

Comments 16 CommentsJump to latest comment

W007's picture

Check this

How to clear the "Still Infected" status from Reports in the Symantec Endpoint Protection Manager

Article:TECH102954  |  Created: 2007-01-19  |  Updated: 2013-03-13  |  Article URL http://www.symantec.com/docs/TECH102954

Check this discussion

https://www-secure.symantec.com/connect/forums/how...

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

louiesulit326's picture

Thank you for that quick response pete_4u2002. It helped somehow in informing me that it automatically goes down, although upon checking the workstations, the threat had been removed. Even the administrator of the SEPM is very particular in monitoring their network (he underwent official training for SEP) so he created a ticket to their helpdesk team for checking of the workstations. He even have this habit of submitting new risks to Symantec upon detecting it in their network. What puzzles him was that the value did not change for a year which indicates that the Still Infected is still there even during the last hour that day. I checked the purging configuration and quarantined items are set for deletion after 30days. Could this be a bug or something similar to that behavior?

louiesulit326's picture

Thank you ManishS. Will try that one and will send feedback once done. yes

pete_4u2002's picture

the steps were manual in SEPM 11 however it has changed in SEPM 12.1 onwards.

Chetan Savade's picture

Hi,

In SEP 11 you may have to perform manual steps.

But in SEP 12.1 status should update automatically.

Following info is very important when we talk about SEP 12.1

"The "Still Infected" number will go down automatically as the threat is completely removed from the network.

This is a part of the enhanced management console.  The management server resets the Still Infected Status for a client computer once the computer is no longer infected. It gives a more accurate status for how many client computers really are infected."

I would suggest to manually check those machines.

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

MikL's picture

I have a similar issue. Even after running a Full Scan several times manually on the client (in addition to the scheduled full scans) and it coming back saying there are zero problems, the console still shows it as infected. It has been like this for over a year now. It keeps showing the problem as "D:\autorun.exe". We've checked the computer and there is not even a disk in the D: drive so what is the problem here?.

Chetan Savade's picture

Hi,

Could you try the following steps:

Change the risk log settings in the SEPM

Navigate to the following location: SEPM --> Admin --> Servers --> Select 'Local database'--> Right click & Click on Edit database properties --> Go to the 'log settings'--> Risk log

Screenshot is attached to the reference.

Can you change the settings to 1 day?

Risk log setting in SEPM.png

OR

Plug any another external drive on the same machine and should detect as a D drive.

Perform a full scan on that system. Client will report D drive as a clean drive & should upload the same on the SEPM.

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

MartinHache's picture

If you are a system administrator, you see counts of the number of Newly Infected and Still infected computers in your site. If you are a domain administrator, you see counts of the number of Newly Infected and Still infected computers in your domain. Still Infected is a subset of Newly Infected, and the Still Infected count goes down as you eliminate the risks from your network. Computers are still infected if a subsequent scan would report them as infected.  For example, Symantec Endpoint Protection might have been able to clean a risk only partially from a computer, so Auto-Protect still detects the risk.

The management server resets the Still Infected Status for a client computer once the computer is no longer infected. This should produce a more accurate status for how many client computers really are infected, rather than requiring user interaction to define a computer as clean.

sai_india's picture

 

Hi,

Please check this thread.

How to clear the "Still Infected" status from Reports in the Symantec Endpoint Protection Manager

http://www.symantec.com/business/support/index?page=content&id=TECH102954

 

Cannot Delete the "Still Infected" Value From the Symantec Endpoint Protection Manager 12.1 Console

http://www.symantec.com/docs/TECH165846

MikL's picture

@sai_india & MartinHache, thanks for the replies. We are running 12.1 which I neglected to mention. I am also a domain admin and am the one that configured SEPM I understand how it clears the counts is different in 12.x vs 11.x however the file it's showing as infected, "d:\autorun.exe" does not even exist on the computer in question. The D; drive is the CD/DVD drive and there is no disk in the drive, nor does "autorun.* exist anywhere on the computer. It appears that even after running full scans and it reporting zero threats, it is either not reporting this status back properly or SEPM is not updating itself properly? If the local SEP client does not show any threats from a full scan why would it report back that it's still infected or what would be the reason the SEPM would not update the status properly?

I've read more than a few posts where this full scan and updating in 12.1 simply does not work in all cases. Short of reimaging the user's machine I don't see this fixing itself as everyone here says it should. This first reported as infected on 8/07/2012 with a Last Status Updated dated of 08/09/2012 with a second occuernce on 11/28/2012 and Last Status Updated date of 11/29/2012 with the risk reported as "Suspicious.MH690". The computer contues to check in and update the definitions on a regular basis. The only thing that appears to be broken is this reporting of "autorun.exe" infected file that does not exist.

SEPM.JPG
Chetan Savade's picture

Hi,

Can you insert any other clean disk on D drive and perform a full scan?

 

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

SameerU's picture

Hi

You can decrease the number of clients logs to be kept

Regards

 

Chetan Savade's picture

Hello,

Is there any update on this issue?

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Ambesh_444's picture

Hello,

Please check mithun's post in below thread.

https://www-secure.symantec.com/connect/forums/clear-still-infected-items

 

Thank& Regards,

Ambesh

"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."

MikL's picture

Have not had a chance to scan this D: drive yet but will try this week.

thanks