Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Antivirus/Antispyware Scanning Recovery Boot CD

Created: 07 Jul 2009 • Updated: 21 Apr 2010 | 37 comments
GrahamA's picture
140 Agree
0 Disagree
+140 140 Votes
Login to vote
Status: Implemented

(re-posting a previously requested item)

Require Symantec to provide a boot CD (or instructions on how to create one), so we can boot from this CD and fully scan a machine, without having to load Windows. This can be very useful when attempting to detect or remove a stubborn threat / trojan / virus, especially when the threat can't be removed, even via Windows Safe Mode.

Being able to also run this via USB key would be ideal.

Comments 37 CommentsJump to latest comment

Grant_Hall's picture

This would be useful to have a full copy of SEP to run via a live cd. Until that point this is what I suggest to customers:

Startup the machine using Windows Preinstall Environment (WinPE) on a CD or USB stick that has the latest NSS tool to clean the infected machine.

Steps to do this:

1. Get WinPE
2. Download and update Norton Security Scanner(NSS)
3. Copy the NSS folder on the WinPE CD/USB
4. Boot the infected machine using the WinPE live cd or usb stick
5. Browse to NSS folder and run nss.exe too to scan and clean the infected machine.

Thought you guys would find this useful

Grant-

Please don't forget to mark your thread solved with whatever answer helped you : )

+1
Login to vote
shogo's picture

Is the NSS not only for detection, if i got i right it does not remove threats?

0
Login to vote
Mick2009's picture

Just a quick update to this thread: NSS is currently past its End Of Life (EOL). Using Symantec Power Eraser in its place:

About Symantec Power Eraser
http://www.symantec.com/docs/TECH134803

How to run Symantec Power Eraser with the SymHelp utility
http://www.symantec.com/docs/TECH203683

With thanks and best regards,

Mick

0
Login to vote
Scott_Lockington's picture

Hello,

 I was looking for the very same thing and was given the SymPE.rar which is an .iso and PDF instructions by my Sales Rep, I believe it is considered BETA and designed by Paul Murgatroyd from the SEP11 forum fame, you should check with him.    I have used it to successfully find the eicar virus on an HDD. 

It may just be a packaged version of what Grant Hall recommends in the post above.

+1
Login to vote
GrahamA's picture

Hi all, thx for the input.

Its true, we have an unofficial version of this type of CD which has been working pretty well, but we are in the process of creating an updated officially supported version of the same thing. Look out for that in the future.

If anyone needs this type of CD in the meantime, we can provide on case per case basis, with the understanding that it's use is not officially supported right now, so it is use at your own risk.

GrahamA Product Management, Symantec Security Solutions

+2
Login to vote
Nourbakhsh's picture

First of all, let me thank's a lot for anybody who publish such a Usefull Tools like Live Antivirus  CD. 
Then I have some questions from Symantec Support as Follows:

1.  why the Symantec Technical Team, Don't Update all Usefull Tools by Collecting them on a known Location such a Special Web Sites or on the Second CD in Tools Sub Directory or ... & Give a chance for All Customers to use these Utilities & Solve their Problem & ... Enjoy ???
As i know, there is a Sub Directory on Second CD ( Tool ) that is for above mentioned, but the problem accured when some new Tools arrived & we don't know about that untill lookup in forums or wait for a New Release / New CD & this take some months, ( Depending on Symantec Upgrade Programs ) .

2. Why Remote Removal from SEPM Console is not on the Sujestion list ? Please do it. Also Still, Removing the Old version or Currupted Antivirus from a Client, need a Professional Knowledge & isn't Easy as Others. All Cleanwipe Tools are not Completed / Working fine & Allways, you should Verify some Points by Yourself to be Sure.

3. Some Simple request such a Modification in Home Page of SEPM, is not possible exept of Favorites. normaly Admins need to change some Parts (e.g. Attacks Per Hour: Last 12 Hours or  Watched Applications Summary ) to achive Best result in First look for Fast Action .

4. Why, there is not some Tools, for Diagnostis Most Common Problems on Client / Servers & Collect some Necessary Information for Help to the Support / Technical Dept. of Symantec for Fast Response & Also feedback ?

So, it could be a Good Sujestion for Symantec Technical Team & According to CRM / Support on Symantec Groups .
 
Best Regards, & Try to Improve Performance & Best Support on Symantec

0
Login to vote
AravindKM's picture

I am happy to here this. Because I am sure that it will a very useful CD in my tool kit

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

0
Login to vote
Marym135's picture

GrahamA,  please tell me that I can get a version of this!  I have a nasty virus that one of my users downloaded from the internet, it's giving me the "blue screen of death" if I got into Safe Mode, if I let it boot into Windows and I click on ANY icon, it restarts Windows.  So I desperately need this CD or if you have another solution, other than formatting at this moment, please let me know.  I am a current and active owner of EndPoint 11.05 with the company.

mary

0
Login to vote
bobcool's picture

How can I get the copy ?

0
Login to vote
Alex1972's picture

Hi Graham

can you please send me the url to download the live cd?
Thanks in advance.

Alex

0
Login to vote
bbgun06's picture

Thanks very much for letting me try the cd.
It cleaned off my computer nicely, however I did have a few problems.  I could not get any virus definitions off the disk, or off my hard drive, so I had to dig out a network cable to do the online option. (which is a nice feature, btw)  Also, it ran quite slowly, with long periods looking at a blank screen.  If there was some type of loading or progress indicator, someone would be less likely to assume it has crashed.
I have Windows Vista, on an intel core 2 duo, if that makes any difference.

0
Login to vote
shogo's picture

Is the product Norton Secutity Scan possible to clean infections, when i downloaded it and found bad things, it was not able to clean, advising me to buy another product to be able to clean. does the NSS really support cleaning infiections?

0
Login to vote
rthurston's picture

How can I obtain a copy of this "Live antivirus CD"?

0
Login to vote
wlramsey's picture

I have run into an instance where my user got her PC infected so bad that symantec will no longer start (not even in safe mode).  I need to run the scan without windows loading.  Could you email me a link to this software?  It would be greatly appreciated.

0
Login to vote
HPCDSA's picture

 Have we got any sort of ETA on when this might be released, as we have a number of people in the business after this.

0
Login to vote
Thrugar's picture

This would be extremely useful as I have a machine that even after doing a XP repair is so messed up that norton or much else wont run.  The more frustrating piece is that I have Norton and cant figure out how to make a recovery cd!  the help files are no help and so far the forums have not been much help either.  I have an older version to be sure Symantec Antivirus 9.0.0.338

0
Login to vote
Adminnnnnn's picture

I would like to get a copy of the iso for the CD please.  How might I go about obtaining it?

0
Login to vote
Frank019's picture

Would be very useful, can wait to get the iso

0
Login to vote
TheSpidy's picture

Add me to the list please, id like a copy too.

whom do i have to contact for it?

0
Login to vote
roberta's picture

Let's hope Symantec releases one Soon....

Greetings from The Land Downunder

0
Login to vote
JT-NZ's picture

Well, the Norton 360 installation CD is also a boot CD that updates definitions from the internet and then scans the computer. I have never found the updating feature to work, probably because of unsupported network cards. Inside the install document they give a link of where to download a new CDROM ISO file that has the latest definitions...

For all you saying "gimme gimme gimme the url" it is probably no secret, but you need a valid Norton360 product key to enter each time you run it. If you need such a CD now, just buy Norton360 for the info... 

Symantec:
Gotta agree with this idea posted by GrahamA, you already have the CD ISO file available for download, can we create an updated one from SEPM with latest definitions and scan engine, and have unauthorised abuse protected by our Serial Number or Support ID

0
Login to vote
zoolanderx's picture

How can I get this CD?  Please send it over this way.

0
Login to vote
cemilebaşak's picture

Hi;

How can I obtaion the CD or ISO.

Is it downloaded form platinium web site or is there any need for open an case for it.

Regards.

Regards;

Cemile Denerel BAŞAK

Note: Please mark as solution if its help you.

0
Login to vote
ChrisCWilk's picture

Hello,

We are a licenses user of SEP 11.0.5 and need a way to boot into a clean environment and run SEP to clean a machine of malware without having to rebuild.  Where can we download and/or is it available throught support.

Thanks,
-ccw

0
Login to vote
lromer's picture

It's about time!  When and where can we get this?

0
Login to vote
tvalus's picture

An official release version of this would be a great tool for us. Adding my 2 cents and vote.

0
Login to vote
PALEX's picture

It would be great if you guys could also make this an option for Altiris DS's PXE server.  I would like to be able to push a job that downloads the latest vir def and then boots into PXE and starts scanning the computer. 

0
Login to vote
Adam73's picture

Why is it that there are other venders with there rescue boot cd's ready for download as an ISO but Symantec is way behind on this?   

0
Login to vote
shogo's picture

Are Symantec still not providing a rescue boot cd for offline virusscan ???

0
Login to vote
Mick2009's picture

Hello thread subscribers,

Just a note that SEP 11 RU6, which contains the SERT tool, is now available via fileconnect.  All SEP 11 customers are encouraged to upgrade to RU6 to obtain this tool and take advantage of RU6's other improvements and enhancements. 

There is no need to download the whole SEP 11 RU6 DVD.....  SERT is a separate download available via FileConnect, as it is quicker to download the Symantec_Endpoint_Recovery_Tool_1.0.15_AllWin_EN.iso file individually.  At 284 MB, it may take some time to download over slower connections.

Thanks and Best regards,

Mick

With thanks and best regards,

Mick

+2
Login to vote
Grant_Hall's picture

I am so excited this is available now! Does anyone have any feedback on it yet? 

Cheers
Grant

Please don't forget to mark your thread solved with whatever answer helped you : )

+1
Login to vote
shogo's picture

The autoupdatefeature seems to work well if you got a internet connection and PE can handle your network drivers, the it starts automaticly and updates to the newest dat-files, if not it requires you to download the latest dat (.jdb) and unzip and put on a USB-stick and point out manually.
The strange thing is that if the autoapdate feature is not working you got a dat-file from 2009, it should at least been from 2010.

+1
Login to vote
NickB's picture

The Recovery Tool CD works good.
The programmer is using the WinINet API to go to the Internet and did not put in the functionality to enter a Proxy server, username & password. This is a necessary function in a corporate environment. There are ways to enter the proxy server via a premade registry file exported from HKCU, but the code still does not prompt for the username and password.
The tool works good because it is based on the Windows Vista WPE and you can run utilities like Sysinternals "Process Monitor", notepad, ipconfig, net, etc.

Below is a document for updating the virus definitions I created. Copy and paste the contents to a Word file and save until Symantec adds the proxy functionality.

Symantec Endpoint Recovery Tool 1.0.15

Updating the virus definition files

1. Download the virus definition for Symantec Endpoint Protection 32‐bit JDB version.

Example: vd312808.zip (if the extension is .jdb, rename the extension to .zip)

2. Extract the files to a network server and folder location (use WinZip or another utility)

Method 1 (USB drive)

1. Copy the extracted files to a USB drive (name the folder Vdefs)

2. Boot‐up using the Symantec Endpoint Recovery Tool CD

3. Insert the USB drive (containing the virus definition files ) into the computer

4. Advance through the initial screens until the Main menu appears

5. Click on Browse for Virus Definitions (lower left)

6. Locate the USB drive and browse to the folder containing the extracted virus definition files

7. Click OK

8. The virus definition timestamp (lower right) should now reflect the new date

Note: The USB drive must remain inserted for the remainder of the session

Method 2 (CD)

1. Burn the extracted files to a CD

2. Boot‐up using the Symantec Endpoint Recovery Tool CD

3. Insert the CD into the CD drive on the computer

4. Advance through the initial screens until the Main menu appears

5. Click on Advanced (upper right)

6. Click on Launch Command Prompt

7. Enter C: <Enter>

8. Type md vDefs <Enter>

9. Type cd vDefs <Enter>

10. Type copy D:\vDefs\*.*

Replace source drive letter with the appropriate letter for the CD drive (files will copy to the

current directory)

11. Click on Browse for Virus Definitions (lower left)

12. Browse to the folder (C:\vDefs) containing the extracted virus definition files

13. Click OK

14. The virus definition timestamp (lower right) should now reflect the new date

Note: Browsing directly to a CD will not allow use of the new virus definition files

2 of 2

Alternate Method (manual virus definition file update) – via network share

1. Boot‐up using the Symantec Endpoint Recovery Tool CD

2. Advance through the initial screens until the Main menu appears

3. Click on Advanced (upper right)

4. Click on Launch Command Prompt

5. At the command prompt, execute the “net use” command to map to the network server

Example: net use H: \\nps‐techsup‐srv\support2$

(Enter a domain user account (NPS‐MASDOM\username) and password when prompted

6. At the X: prompt, change directory to the X:\Symantec_NSS\virusdef folder

7. Delete all the files in this folder

8. Copy the extracted files (copy h:\Symantec\vdefs\*.*) to the current directory overwriting

any existing files

9. Note: As per Symantec documentation, it is advised copying the extracted ZDONE.DAT file

last. It was stated that due to the fact the Recovery Tool may look for the existence of this

file to acknowledge the newer virus definitions, before all the files are finished copying, it

may produce unpredictable results.

haven’t had to do this so far, maybe due to the fact all the original virus definition files

were deleted in advance

10. The virus definition time stamp displayed in the GUI should update as soon as a scan has

been started.

Note:

The same process can be followed by first copying the extracted virus definition files to a CD or

USB drive. Continue with Step 6. Copy the files from the alternate source in Step 8.

More Information

When using the Browse for Virus Definitions, a CD or network location are not valid sources for

new virus definition files.

+1
Login to vote
Terry Cutler's picture

See silent video at http://www.youtube.com/watch?v=jwgoaIJA1Go

Demonstrated at Symantec WTS2010 event. 

Some minor customizations to the ISO image to include network drivers for newer generation platforms.   This was required for pcAnywhere lite and LiveUpdate to work.

Boot times using Intel vPro were less than 3 minutes if using 2-stage IDER boot (see http://communities.intel.com/docs/DOC-5552).   For one test client, boot time was close to 1 minute!

The video also shows KVM remote control

The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries

+1
Login to vote
Terry Cutler's picture

Follow-up to my previous comment.   See article posted at  http://www.symantec.com/connect/articles/optimizing-sert-intel-vpro-technology

The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries

+1
Login to vote