Video Screencast Help

Symantec Endpoint Protection detected Risks while you were logged out

Created: 03 Aug 2011 • Updated: 03 Aug 2011 | 25 comments

we are piloting SEP 12.1 GA.

Sometimes pilot users logon and get a popup "Symantec Endpoint Protection detected Risks while you were logged out. You may need to open the AntiVirus and Antispyware Protection Risk Log to view and take action on the risks"

Inspection of the virus and spyware logs on the client (as admin) does not show any detection.

Has anyone else seen this? Is it a bug in 12.1 - i.e. the fact that there was apparently no detection, but the user gets a popup saying there was something detected?

The following article refers to how to turn this off for SEP11, which also works for 12.1, but being a security engineer responsible for our SEP 12.1 design, I would like to understand if the notification is being incorrectly triggered. I would like it to appear if there really is something found.

http://www.symantec.com/business/support/index?page=content&id=TECH105373

Comments 25 CommentsJump to latest comment

.Brian's picture

I have the same issue with 12.1 (and 11.x as well). Have not found a fix other than turning off the notification, which I'm not doing.

Upgraded from SEP RU6 MP3.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

M.C.'s picture

I just wanted to chime in and say that I am having the same problem. We were running SEP 11 MR5, and I upgraded 3 servers and my machine to SEP 12.1. After the upgrade all 4 machines come up when I log in with the "Detected risks" popup. The quarantine is empty, and no risks were really found. My servers only have the AV component, and my machine has all components. This would appear to be some problem with SEP 12.1 as far as I can tell, because with SEP 11 MR5 this did not happen.

I really don't want to shut off the notification option, if possible, because if there *were* to be some sort of problem, I'd like to know about it. It seems that shutting off the notification option is not the ideal thing to do for the best security.

Mithun Sanghavi's picture

Hello,

You can go into the AV policy and uncheck this setting from here as shown below:

 

As far as SEP v.11 is concerned, we had and Article: 

http://www.symantec.com/docs/TECH105373

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

.Brian's picture

The issue is it doesn't work. The notification is displayed even though this setting is unchecked.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Serengeti's picture

Hi, we do not want to turn off notifications - that would be like throwing the baby out with the bath water.

We have raised the point that the notifications are appearing even when there apparently was no risk detected.

So the question is: Is this feature broken?

M.C.'s picture

We have a call in with support on this. We'll see what they say. I have a feeling they're going to tell us to turn off the notifications, as that was their first and only suggestion by email.

Tarsier's picture

Seems to be broken any way that you look at it...  We recently upgraded to 12.1.  During the first scheduled weekly scan, a machine displays this message ("Symantec Endpoint Protection detected risks while you wer logged out....) and the user reports the potential problem with the machine.

While investigating, follow the defacto recommendations that are posted everywhere here, and go to Monitors > Logs, then select Scan (expecting the Scan log to report a risk(s) found).  Sure enough, the machine shows up in the list with Risks = 1 and Detections = 1, but "Details" says nothing extra about the detected risk.

So, I go back to the logs tab and select the Risk log, but there is nothing listed for this machine.

How do we follow-up on a message like this and check to see what "Risk" was "Detected" during the scan?

I've continued through the progression and check for anything else in the logs pertaining to this machine, and there is nothing about any kind of detected risk, several hours after the logged in user was notified of a detected risk and called to report it.

How do we resolve this and determine whether or not there is a legitimate threat to be concerned about (and respond to it), or whether or not there are rules, policies, etc., that need to be developed or modified to avoid more false positives?

---------------- Things turn out best for the people who make the best of the way things turn out. -John Wooden-

WingFan's picture

I'm having these same issues here.  Several machines give the "risks were found while you were logged off" message, but there is nothing in the scan/risk log...no detections at all.  The only thing even remotely related is are "Scan Omission" entries in the System Log stating that the Decompiler Engines could not scan files that are inside of a zip file (i.e. too deep).

Also, turning off the popup that Mithun Sanghavi suggested above does not work.  I have turned this off in every policy we have and the popup message still 'pops up'.

I didn't have this issue with v11, although it appears that this has been an issue going back even further.

I also have two other issues since upgrading to v12.1 that I haven't resolved yet (one of which causes a particular client to generate a SYN flood when the 12.1 client initializes).

Seems that v12.1 probably should have waited until 12.2....

 

#frustrated

bjohn's picture

Sadly, you'll never find a Symantec version that's perfect. (not even close)

Serengeti's picture

going on the posts so far, this seems to be a common problem. Like Tarsier, we should all be concerned about the helpdesk calls and wild goose chases that this can cause. We are running a small pilot of 12.1 and so far I have seen the issue on two Server 2003 x86. SST logs sent to our TAM - hoping for some positive updates soon . . .

thatdude's picture

This alone gives me reason to wait until at least RU1. By the way I never heard of this issue during Beta testing. Are all of these SEP 11 to 12.1 upgrades?

.Brian's picture

Not for me. Happened on fresh installs of both 11.x and 12.1. Also, happened on my machine yesterday but the logs reveal nothing malicious.

I'm clueless on it.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

josh_symc's picture

If there are no risks logged, then the notification pop up is not due to a risk/malware event, as the technote makes mention. Underlying in the product there are couple ways this pop can be generated, and it is possible to see this without an actual malware issue. The issue is fixed in 12.1 RU1, so that one can disable this notification on the SEPM and it will work. The issue was fixed in SEP 11 around MR5, so if you are running a later SEP 11 release in RU6 MPX, and you disable this notification in the SEPM, you should not see it on the client. If that is not the case, and you are running SEP 11 RU6 MPX, you disable the notification, and still see it on a client, please contact Technical Support and open a case. 

As a side note, if you have not logged a Support case for this issue, or any issue actually you encounter, it is not being examined in engineering. Highly advisable you open a case therefore.

 

You can reference defect 2488243 for 12.1 release(fixed in RU1).

For 11.X reference fixed in MR5 defect 1542336.

 

The underlying reason why you can see a pop up, without a logged risk/malware event, is still possible and one such path is detailed in the referenced technote. It is a design consideration from whence the pop up message can be arrived at. So the fix is to properly disable the notification when desired, which is not working in 12.1 today. 

M.C.'s picture

My concern is what if (heaven forbid) a risk was really detected while logged out? If you disable the notification then you would not see it. There isn't a way to stop these "false positives" and still have the product notify you if there really is a problem? How about different verbiage in the notifications pop-up for the various conditions that cause it, rather than the same message for everything?

WingFan's picture

Well, the way I see it is it will be logged on the SEPM as well.  So even if the end user doesn't get a notification, I am still going to get the notification through the SEPM logs/alerts.  I'd rather not depend on an end user telling me about a potential issue.  What if they are out for two weeks and no one logs onto the machine?  It's nice when they do tell you, but I'm still going to get any real threat info from the SEPM.

That being said, I would rather not disable alerts.  I would rather see Symantec fix the false-positives...as well as not being able to disable that alert.

Popasmurf's picture

We called in a few weeks back and were told this wasn't a documented problem.  We did reference this discussion.   Is there an estimated timeframe on RU1?  Will OS 10.7 be supported in RU1 as well?

Serengeti's picture

"The issue is fixed in 12.1 RU1, so that one can disable this notification on the SEPM and it will work"

Does this mean the issue where the popups are incorrectly generated is fixed or that the issue that one could not disable the notification has been fixed?

BlackFog's picture

Have this problem in our Lab, too. Therefore I'm also interested in an ETA date for the RU1.

josh_symc's picture

12.1 RU1 is slated for early November. Slated being the operative word meaning subject to change until actually released :). We should be careful about terminology, a 'false postive' is the quarantining or catching of a good file by SEP or other real time security agent and treating that good file as malware. This is NOT the case here at all. There is no False Positive. Please do read the above referenced technote. Please refer to the defect referenced above (2488243)and open a case with Symantec Support if you wish to see a change in product behavior. To recapture-the defect 2488243 is for 12.1 RU1 and is about the disabling of the pop up not working per SEPM checkbox UI.

The pop up stems from a code path that can be from other causes besides malware being detected and remediated when logged out, and is somewhat as by design in my research but will leave that to the engineering whom wrote the code for final say. It may or may not be an easy fix as is any issue. Let's be clarified- IF there is a risk discovered it WILL be LOGGED, and the end user can see the log, as well as the SEPM will be sent the logs. When the user is logged out. Feel free to go ahead and test with the eicar test string, log out, and shcedule a scan for the logged out time.

So if you are desiring to:

A) Keep the pop up warning for end users when they are logged out whether it is malware or not cause.

B)Want to see the non malware pop up reason logged, or perhaps not popped up in the first case (up to debate)

Then please open a tech support case, reference defect 2488243, this blog, the above referenced technote.

If all you want is to :

A) Know that a piece of malware is caught and logged, this is already the case today,when  a user is logged out.

B) To suppress the warning message when user is logged out, it is in 12.1RU1 and should be working in any 11.0 RU6 or later release train today.

WingFan's picture

I've read the technote and I understand that it can pop up after updating the virus definitions and rescanning items in quarantine.  But if there is nothing in quarantine to begin with, why would the pop up still trigger?  I never had this issue before 12.1 (although I understand others have).  Every machine that I have upgraded to 12.1 will randomly have this popup, yet nothing is in any of the quarantines.

Are you saying that simply getting a definition update and having the DefWatch Wizard scan is enough to trigger the popup, even if there is nothing in quarantine?  That doesn't sound right...

Serengeti's picture

as per the Symantec response: "The pop up stems from a code path that can be from other causes besides malware being detected and remediated when logged out, and is somewhat as by design in my research but will leave that to the engineering whom wrote the code for final say". So clearly the alerts appear at times with no risk trigger."

There are "other triggers" - sounds like Symantec have to decide if they want to change that or not - I agree that it is hard to see why anyone woudl want non risk-related events causing a popup.

josh_symc's picture

Hi All,

 

The defect for the issue underlying the pop up is 2529730. Please open a case and reference this defect.

Per technote and issue "the expectation is that this pop-up will appear only if a threat has been
detected by manual/autoprotect scan, OR if DWHWizard (DefWatch Wizard) scans
items in quarantine after a definition update. In this case, pop-up is appearing on logon; DefWatch wizard is on, but there is nothing in quarantine to be scanned and no threat detections are logged"

If the issue you are concerned about is suppressing the pop up with SEPM UI checkbox, it is fixed in 12.1 RU1 and SEP 11.0MR5 or later.

The more folks whom are added to the issue, the more weight it has. It is currently under investigation by engineering and QA.

Thanks.