Endpoint Protection

How should I handle the following pop-up that continually appears on one of our PC's?  I've run a full scan on the machine and it came up clean.
The end-users at this PC have been reporting this for three days, but I do not see a way to clear it or investigate it further?
Is there an administrator setting that needs to be changed?

Hi,

The message indicates that the IPS engine in SEP was  able to prevent an attack from that IP.

Please follow the instructions below:

http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23619


Aniket

 

Thank you for your reply but please verify one more thing. I read the link you provided and wonder if this applies directly to the PC in question or if this needs to be done on the server that runs Symantec for all of our machines?
There is only one PC displaying the pop up and it appears to already have the most recent updates, and a full scan comes back clean.
Kind Regards

The removal instructions apply to the PC that is infected.

http://www.symantec.com/security_response/writeup.jsp?docid=2010-020210-5440-99&tabid=3

 Full scan will come all clean as IPS is blocking it at the first place itself. The patches should be there on all your computers including server.

I followed the steps in the Symantec Security Response link - disable system restore/virus defintions up to date/run full system scan.

Scan came up clean again and still received the pop up image seen above.  I used the link How to Find Suspected Threats on your computer and dowloaded Autorun. A careful review of all the files (with Microsoft and Windows entries viewed) exposed what I believe was the culprit - tgfm.klo.  I deleted the file and restarted the machine, I'm waiting to see if the problem is solved.

I appreciate your help and advice!