Endpoint Protection

I just recently scanned my WD external hard drive and I have to infected files FLVdirect-1.exe HeuristicLow.ADH. It tells me, two files are infected by this virus, but I don't know if my endpoint protection, has removed the threat from the files. How do I know the virus is cleared? Do I have to it manually? Last time it sent all the infected files to quarantine. Where I repaired all of them manually. This time no files were sent to quarantine. So what do I do? Please help. Also I'm running symantec endpoint protection on my Mac OSx. With recent updates for SEP.

Hi 5050trap,

What exactly does it say in the logs?  Generally there will be an action like "the threat was successfully deleted" or "the file was left alone."  The log entry itself is likely to give you the answer.

(In the SEP application, go to the Tools->View History item in the menu bar. Hovering over the name of a detected threat will show the original location of the threat on the system.  Is that file still present, or is it gone-?)

Please keep the forum up-to-date with your progress!

Thanks and best regards,

Mick

Just so we're clear, did you find this file on your Mac?  As Mick suggests, look at the View History to see where the file was located.

Bear in mind that .exe fils cannot execute within the Mac OS.  If the file is within an archive file (i.e. a .zip) then SEP can't modify the contents of the zip.  The View History will give you a direction to move in.

I highly recommend enabling Automatic Repair for Auto-Protect, Manual Scans and Scheduled Scans.  I have some edits pending to the document "Infected files are detected but not repaired ".  Here is the relevant section that does not yet appear in the linked document.

For SEP managed computers:

To enable Automatic Repair for Auto-Protect:

1. Log into the Symantec Endpoint Protection Manager (SEPM).
2. Go to Policies >Antivirus and Antispyware and edit the appropriate policy for the group in which the Macintosh clients belong.
3. In the policy, under Mac Settings, choose File System Auto-Protect.
4. In the Scan Details tab, check the box for Automatically repair infected files.

To enable Automatic Repair when a scheduled scan is performed:

1. Log into the Symantec Endpoint Protection Manager (SEPM).
2. Go to Policies >Antivirus and Antispyware and edit the appropriate policy for the group in which the Macintosh clients belong.
3. In the policy, under Mac Settings, choose Administrator-Defined Scans.
4. In the Common Settings tab, check the box next to Automatically repair infected files.

To enable Automatic Repair when a manual scan is performed:

1. Log into the Symantec Endpoint Protection Manager (SEPM).
2. Go to Policies >Antivirus and Antispyware and edit the appropriate policy for the group in which the Macintosh clients belong.
3. In the policy, under Mac Settings, choose Administrator-Defined Scans.
4. In the Scans tab, under Administrator On-demand Scan, click on Edit....
5. On the Scan Details tab, under Actions, check the box next to Automatically repair infected files.

Thanks,
sandra

Ok I'm looking now and some of the threats SEP tells me have been deleted, some are not repaired, and some are in quarantine.  The files are on my WD Mac essential external HD. I just ran a complete scan on my HD and I have 36 threats it tells. I think I'm having this problem, due to the fact I didn't turn of time machine. I linked my HD and time machine, so I think it keeps backing up the corrupted files. I've turned time machine off now. If I repair the files will it permanently remove the threats? Also since I have the time machine back, plus 2 manual back ups, I believe that's why it's the same file just in different locations. 

Since it's to much to type I've screen captured it for you guys.



 














I hope this help to give you guys a good visual. Also I'm new to the site, forgive my noob-ness.

As i can see its only 2 files FLVDirect-1.exe and FLVDirect.exe amd they have been detected as heuristic ( Suspected threat ) its not necessary they are threats.

I believe this file is FLV player used for windows so either file is infected or is falsely detected.


Is this file getting detected in windows aswell?

Remove this/all the files from your quarantine
/Library/Application\ Support/Symantec/AntiVirus/QuarantineFile.qtn

These files can't be repaired because they are not legitimate files that have been modified, like back in the day when file infectors were common.

I don't recommend scanning the TimeMachine backup because the OS protects it the same way Windows protects System Restore.  The backups will eventually be purged.  I suspect if you tried to restore this file to the hard drive, it will be intercepted and quarantined by Auto-Protect.

They are .exe files, which can't run on a Mac.  Your machine is not infected. 

Auto-Protect should be intercepting any new attempted Downloads.  Be aware of where you are surfing if this happens -- let us know if you're prompted to install a video codec, for example, just before it occurs.

The .qtn file is a protected file.  I recommend you instead remove items from the Quarantine via the SEP interface.

sandra