Video Screencast Help

"Still Infected" - SEP 12.1

Created: 05 Sep 2013 | 6 comments
DamianGarbus's picture

Hi,

I have problem with "Still infected" in SEP 12.1. I kow that it can't be clear manually like in version 11. 

Virus was detected when users connect flash memory to USB port. Now flash memory is not connected and Client can't scan this for check if it is infected.

Please let me know if it is possible to clean "still infected" count if Can I block USB port in SEPM policy.

Best Regards.

Damian.

Operating Systems:

Comments 6 CommentsJump to latest comment

Rafeeq's picture

not possible to clear manually, run a full scan  for the usb when its connencted.when the reports come back clean it will be gone.

https://www-secure.symantec.com/connect/forums/clearing-still-infected-status-malware-detected-dvd-r-sep-121

use application and device control policy to block usb

http://www.symantec.com/business/support/index?page=content&id=TECH175220

Ambesh_444's picture

thumbs up for Rafeeq above comment.

Make sure that your system should have latest antivirus definition and all latest MS patches installed.

Then do a full scan of the system and check.

Thank& Regards,

Ambesh

"Your satisfaction is very important to us. If you find above information helpful or it has resolved your issue. Please don't forget to mark the thread as solved."

pete_4u2002's picture

connect another USB, scan the system and it shoud show clean considering the USB is clean.

yes, USB can be blocked using ADC policy using SEPM.

DamianGarbus's picture

Ok, I will try :) Thanks for help :)

Best regards.

Damian.

Mithun Sanghavi's picture

Hello,

In your case of SEPM 12.1, the "Still Infected" number will go down automatically as the threat is completely removed from the network.

This is a part of the enhanced management console.  The management server resets the Still Infected Status for a client computer once the computer is no longer infected. It gives a more accurate status for how many client computers really are infected.

In your case, initiate a full scan on the system. Entry would be removed from Still infected status.

You can check the scan action and rescanning the identified computers by following the steps provided in the article below:

http://www.symantec.com/docs/HOWTO80991

Still Infected is a subset of Newly Infected, and the Still Infected count goes down as you eliminate the risks from your network. Computers are still infected if a subsequent scan would report them as infected. 

For example, Symantec Endpoint Protection might have been able to clean a risk only partially from a computer, so Auto-Protect still detects the risk.

The management server resets the Still Infected Status for a client computer once the computer is no longer infected. This should produce a more accurate status for how many client computers really are infected, rather than requiring user interaction to define a computer as clean.

Hope that helps!!

Mithun Sanghavi
Associate Security Architect

MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Jeshrel's picture

Hi,

Try the article below they should help you

Preventing viruses using "autorun.inf" from spreading with "Application and Device Control" policies in Symantec Endpoint Protection (SEP) 11.x and 12.1.x

http://www.symantec.com/docs/TECH104909

Using Application and Device Control to stop registry entries added by a threat or risk

http://www.symantec.com/docs/TECH95124

How to Block Known Virus Executables that run from %UserProfile% using Application and Device Control

http://www.symantec.com/docs/TECH131741

Hope it helps, keep us updated.