Video Screencast Help

Still infected status - SEP 12 Home screen - not clearing

Created: 16 Jul 2013 | 13 comments
ThaveshinP's picture

I have noticed that the number on the "Still infected" count on SEP 12 Home page is displaying quite a number of machines and files . However,

my question is how come some infections are almost a month or 2 old and the infection status is still showing. When I check the logs for the machine,
there are no infections. How can I reset the "Still infected" count on the home screen or how long does it take to reset??

Comments 13 CommentsJump to latest comment

Rafeeq's picture

its immediate once you follow the below steps, once the client is infected it will appear under still infected. It will not clear it automatically you need to manually clear it, this is for your confirmation that indeed you checked the machine, its clean and you cleared it

How to clear the "Still Infected" status from Reports in the Symantec Endpoint Protection Manager
 
if they are large in number follow this Step
 
Log into the Symantec Endpoint Protection Manager (SEPM).

2. Click the Monitors tab.

3. Click “Advanced Settings”.

4. Click “Compliance options”.

5. Checkmark “infected only”.

6. Increase the Limit to 1000 entries.

7. Click the button “Save Filter…”.

8. Name it “Clear Infected Status”.

9. Under Use a saved filter, select this new “Clear Infected Status”.

10. Make any needed modifications to the search criteria.

11. Increase the Limit to 1000 entries.

12. Click the button “View Log”.

13. Select the first client entry.

14. Press and hold Shift.

15. While holding shift scroll down to the last entry and select the last client entry.

16. Click “Clear Infected Status”.

17. Repeat steps 12-17 for the remaining pages, if any.
ThaveshinP's picture

You do realise that this is SEP 12 RU3 I am using and the article is for SEP 11??

There is no clear infection status on SEP 12....

Rafeeq's picture

Got your point its no longer :) you are right

Cannot Delete the "Still Infected" Value From the Symantec Endpoint Protection Manager 12.1 Console
 

http://www.symantec.com/business/support/index?page=content&id=TECH165846

LeighT's picture

From what I understand if the machine has been remediated and no longer infected, it should clear the count. This sounds like a possible defect and you may need to log a call with Symantec if you are sure you can provide examples of machines that are reporting still infected and are no longer infected.

Brɨan's picture

Run another scan on the machine. Once it is complete and if it is clean, it will report back to the SEPM and the counter will be cleared.

You can't auto clear in 12.1 like you could in 11.x

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

In SEPM 12.1, the "Still Infected" number will go down automatically as the threat is completely removed from the network.

This is a part of the enhanced management console.  The management server resets the Still Infected Status for a client computer once the computer is no longer infected. It gives a more accurate status for how many client computers really are infected.

Check this Article:

Cannot Delete the "Still Infected" Value From the Symantec Endpoint Protection Manager 12.1 Console

http://www.symantec.com/docs/TECH165846

Secondly, I would suggest you to work on these Articles:

Identifying the infected and at-risk computers

http://www.symantec.com/docs/HOWTO80990

Remediating risks on the computers in your network

http://www.symantec.com/docs/HOWTO80936

Hope that helps!!

Mithun Sanghavi
Associate Security Architect

MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

knightstorm's picture

I have one machine where the infected status was initially set by a possible trojan horse blocked on the CD drive (drive D:)  I cannot clear the infected status manually and the automatic reset is not working, probably because it cannot re-scan drive d: to verify that the threat has been removed.

Brɨan's picture

Put in a clean CD and scan it

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Brɨan's picture

It's not a bug. For whatever reason this is by design in 12.1

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.