Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Why is 'Leave alone (log only)' my primary action

Created: 15 Oct 2009 • Updated: 21 May 2010 | 17 comments
This issue has been solved. See solution.

Hi.

I've got a few of these cases whereby a weekly scan detects virus's and doesn't seem to do anything other than log it. I can understand it not being able to clean it as the virus is in a compressed folder, zip or cab.... but my settings on SEPM are always PRIMARY=clean SECONDARY=delete/quarentine.........so why does it flag up on the client log as leave alone.... that should be the last option

I could understand if actually tried doing one of the actions I set, failed and then 'left alone' but this isn't what I've asked for.....

I've checked all the actions and they're all set to clean or delete....

anyone?

see screen shot attached

Discussion Filed Under:

Comments 17 CommentsJump to latest comment

Vikram Kumar-SAV to SEP's picture

Explanation of Action field values
 http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2006112010562148

Best Practices for responding to "Left Alone" in the virus or threat history log
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2006011308151248

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

outrunred's picture
Left alone
Symantec AntiVirus detected a risk but did not take action.

This can occur if the first configured action is Leave alone or if the second configured action was Leave alone and the first configured action was not successful. This may mean that a risk is active on the endpoint.

ok thanks for this Vikram. It would be nice if SEP explained this as a reason in the log.... a simple 'unable to perform primary action' or something would be nice.... just looking through the logs it makes you think that something is set incorrectly....

Ok - so resetting permissions on the infected area - rescanning - same results.... I know the virus isn't running in memory as these file are just a backup of a users documents.... it's never been executed....

so permissions are set fine I think - server\uers=full access, system=full access, administrators\=full access

what gives?

Vikram Kumar-SAV to SEP's picture

The file might be hooked to some running system process which SEP is not able to kill.
So would suggest scanning in safe mode would be a option. 

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

outrunred's picture

nope it's not - I can hit the delete key on this file and ot goes - but that's not a solution.....

what account needs to have permissions to access file for SEP - just system account? or is there something else?

Vikram Kumar-SAV to SEP's picture

 Depends on what scan you are running if you are launching a manual scan and the folder is just having system account permission it won't catch the virus.

If you are logged in as a limited account and the file is under a diffrent user account which is not accessible by this user the file will get detected but no action will be taken as Access will be denied.

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

outrunred's picture

ok  -well whilst trying to fix this I'm using my account which is a domain admin account....and this is listed under local adminstrators group for that server

that folder has administrators set to full access....hence why I can delete it manually -

the syatem account also has full access.....

i've reset permissions and owner.... still get the same.....

like I say, I can find a good few that match this problem across our domain....

I notice this only happens on compressed files....

Vikram Kumar-SAV to SEP's picture

I tested it with Eicar test file i got 2 notifications

1 Cleaned 2 Action taken:  Compressed file processing succeeded

So are these files simple zip file or is it zipped under zip or with some password on it.

Anyways what is it getting detected as ?

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

Vikram Kumar-SAV to SEP's picture

Are you getting any decomposer error in Event log or system log on the client
This can be a limitation of the Decomposer Engine's ability to scan compressed or locked files 
http://service1.symantec.com/SUPPORT/ent-security....

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

kavin's picture

How many compression level this files have?
like a normal Zip or Zip under a Zip?

outrunred's picture

Hi

Firstly thanks for looking at this people

Kavin - the file in question is a cab file - I can't find the info for the compression level....

Vikram - nothing in the SEP system log - however....looking in event viewer  (application) on the client I see the following from the early hours this morning, not sure if it has any bearing on the problem

Auto-Protect Error: Auto-Protect is disabled because registration of the virus databases failedApplication has encountered an error.

For more information, please go to: http://www.symantec.com/techsupp/servlet/ProductMessages?product=SAVCORP&version=11.0.4010.14&language=english&module=1000&error=0074&build=symantec_ent

I ntoice that above link is relevant to SAV - not SEP.....but that's what it's given ,e

I also get the following in the 'System' part of the event viewer

SRTSP

Error loading virus definitions.

Vikram Kumar-SAV to SEP's picture

 That might be the issue as the virus definition is not loading thus auto-protect is malfunctioning thus affecting the Decomposer engine.
Would suggest updating the defs again and run a scan again. 

Vikram Kumar

Symantec Consultant

The most helpful part of entire Symantec connect is the Search button..do use it.

outrunred's picture

is there any recommended process for clearing the current definitions and implementing the new ones

i'ts on the latest defs currently -  and has updated naturally even after that event viewer message...

but i want t clear them and put the new ones back on to see

ta

outrunred's picture

ok - removed defs - reloaded and restarted - after following this doc....

http://service1.symantec.com/support/ent-security.nsf/docid/2007123111551948

re-run the scan - same problem

snekul's picture

I run into this issue quite regularly on mbox files (Thunderbird email) with infected zip attachments.  Considering we used to have data loss issues with SAV and mbox files, it seems they error on the side of caution now.  The good news is the file has to be extracted and copied elsewhere to be run, where SEP will stop it.

Eric C. Lukens IT Security Policy and Risk Assessment Analyst University of Northern Iowa

outrunred's picture

Hi Snekul

I think you helped with a similar problem before - where I replace file permissions and that worked fine

I guess you're right - the virus itself won't run and I shouldn't worry too much

I just like things to be tidy - I want a clear status and I also want as little involvement as possible...I don't want to have to investigate why SEP hasn't actioned anything when it's quite clearly detected something....

suppose i'll just have to live with this :-p

snekul's picture

"suppose i'll just have to live with this" That's what I've done.  When I look at the reports and logs, I always look at where they were located.  Usually, I only get concerned when alerts are found in Program Files or the Windows folder.  Sometimes I'm more concerned about what was found, like Vundo or something equally evil.

Eric C. Lukens IT Security Policy and Risk Assessment Analyst University of Northern Iowa

SOLUTION