Endpoint Protection

Hi.

I've got a few of these cases whereby a weekly scan detects virus's and doesn't seem to do anything other than log it. I can understand it not being able to clean it as the virus is in a compressed folder, zip or cab.... but my settings on SEPM are always PRIMARY=clean SECONDARY=delete/quarentine.........so why does it flag up on the client log as leave alone.... that should be the last option

I could understand if actually tried doing one of the actions I set, failed and then 'left alone' but this isn't what I've asked for.....

I've checked all the actions and they're all set to clean or delete....

anyone?

see screen shot attached

Explanation of Action field values
 http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2006112010562148


Best Practices for responding to "Left Alone" in the virus or threat history log
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2006011308151248

Left alone

Symantec AntiVirus detected a risk but did not take action. This can occur if the first configured action is Leave alone or if the second configured action was Leave alone and the first configured action was not successful. This may mean that a risk is active on the endpoint.

ok thanks for this Vikram. It would be nice if SEP explained this as a reason in the log.... a simple 'unable to perform primary action' or something would be nice.... just looking through the logs it makes you think that something is set incorrectly....

Ok - so resetting permissions on the infected area - rescanning - same results.... I know the virus isn't running in memory as these file are just a backup of a users documents.... it's never been executed....

so permissions are set fine I think - server\uers=full access, system=full access, administrators\=full access

what gives?

The file might be hooked to some running system process which SEP is not able to kill.
So would suggest scanning in safe mode would be a option. 

nope it's not - I can hit the delete key on this file and ot goes - but that's not a solution.....

what account needs to have permissions to access file for SEP - just system account? or is there something else?

 Depends on what scan you are running if you are launching a manual scan and the folder is just having system account permission it won't catch the virus.

If you are logged in as a limited account and the file is under a diffrent user account which is not accessible by this user the file will get detected but no action will be taken as Access will be denied.

ok  -well whilst trying to fix this I'm using my account which is a domain admin account....and this is listed under local adminstrators group for that server

that folder has administrators set to full access....hence why I can delete it manually -

the syatem account also has full access.....

i've reset permissions and owner.... still get the same.....

like I say, I can find a good few that match this problem across our domain....

I notice this only happens on compressed files....

I tested it with Eicar test file i got 2 notifications

1 Cleaned 2 Action taken:  Compressed file processing succeeded

So are these files simple zip file or is it zipped under zip or with some password on it.

Anyways what is it getting detected as ?

Are you getting any decomposer error in Event log or system log on the client
This can be a limitation of the Decomposer Engine's ability to scan compressed or locked files 
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2002073015235648

How many compression level this files have?
like a normal Zip or Zip under a Zip?

Hi

Firstly thanks for looking at this people

Kavin - the file in question is a cab file - I can't find the info for the compression level....

Vikram - nothing in the SEP system log - however....looking in event viewer  (application) on the client I see the following from the early hours this morning, not sure if it has any bearing on the problem

Auto-Protect Error: Auto-Protect is disabled because registration of the virus databases failedApplication has encountered an error.

For more information, please go to: http://www.symantec.com/techsupp/servlet/ProductMessages?product=SAVCORP&version=11.0.4010.14&language=english&module=1000&error=0074&build=symantec_ent

I ntoice that above link is relevant to SAV - not SEP.....but that's what it's given ,e

I also get the following in the 'System' part of the event viewer

SRTSP

Error loading virus definitions.

 That might be the issue as the virus definition is not loading thus auto-protect is malfunctioning thus affecting the Decomposer engine.
Would suggest updating the defs again and run a scan again. 

is there any recommended process for clearing the current definitions and implementing the new ones

i'ts on the latest defs currently -  and has updated naturally even after that event viewer message...

but i want t clear them and put the new ones back on to see

ta

ok - removed defs - reloaded and restarted - after following this doc....

http://service1.symantec.com/support/ent-security.nsf/docid/2007123111551948

re-run the scan - same problem

I run into this issue quite regularly on mbox files (Thunderbird email) with infected zip attachments.  Considering we used to have data loss issues with SAV and mbox files, it seems they error on the side of caution now.  The good news is the file has to be extracted and copied elsewhere to be run, where SEP will stop it.

Hi Snekul

I think you helped with a similar problem before - where I replace file permissions and that worked fine

I guess you're right - the virus itself won't run and I shouldn't worry too much

I just like things to be tidy - I want a clear status and I also want as little involvement as possible...I don't want to have to investigate why SEP hasn't actioned anything when it's quite clearly detected something....

suppose i'll just have to live with this :-p

"suppose i'll just have to live with this" That's what I've done.  When I look at the reports and logs, I always look at where they were located.  Usually, I only get concerned when alerts are found in Program Files or the Windows folder.  Sometimes I'm more concerned about what was found, like Vundo or something equally evil.

:-) thanks