Endpoint Protection

In previous version I've been able to use the Symantec management console to  view logs on the clients and delete viruses found. I can view the logs easily through SEPM, but I can't see how I can delete the viruses/risks found. Anyone any idea? It's extremely cumbersome having to go to every machine infected in order to deal with the threats.

Many thanks
Gill

Greetings,

The only things that will show in the logs are the items that Symantec detected. If we are detected it then we are dealing with it effectively, there should not be a need to have to go to the machine.

To view the logs, I suggest doing the following:

-Open SEPM
-Click Monitors on the left
-Click Logs at the top left
-Under log type, choose Risk
-Choose a timeframe to view a little below

Here you can see all detections that the clients had. I believe in the third column you can see what Symantec did with the detection (Deleted, quarantined, etc.)

Are you seeing something that leads you to believe you need to go to the machine? If so, what exactly are you doing at the machine when you get there?

I see this too with my SEPM, as on the Home Screen, I always pay attention to the Still Infected line of the 'Action Summary by Number of Computers' section.

when I go to the Risk logs it either says 'Partially removed" or "Left Alone" or "Process termination pending restart"

I believe he's referring to the the abaility in the SAV console right-click a specific client, view the Risk History and choose option like delete, quarantine, restore from quarantine, etc.

Check this article I am sure it will help.

How to clear an erroneous "Still Infected" status from Reports in the Symantec Endpoint Protection Manager

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007111913145448

I am indeed referring to the the ability in the SAV console to right-click a specific client, view the Risk History and choose option like delete, quarantine, restore from quarantine, etc.

Thanks John for those instructions, that's more or less what I'm looking for. The only problem is that even though I can then deal with quarantined files, I'm still getting 'security risk found (left alone)' and 'virus/security risk found (details pending)' entries - what do I do with these? Is the machine still infected? Do I have to do anything?

Thanks Sandip for the link; I'm sure that will come in handy.

Gill

Yes, I know. I was answering John_Prince's last question in his first post:

"Are you seeing something that leads you to believe you need to go to the machine? If so, what exactly are you doing at the machine when you get there?"

Please go through this link.

Symantec Endpoint Protection Manager reference guide for Symantec System Center users

http://service1.symantec.com/support/ent-security.nsf/docid/2007021509381848 

this should answer your questions.

Left Alone

Symantec Endpoint Protection detected a risk but did not take action. This can occur if the first configured action is Leave alone or if the second configured action was Leave alone and the first configured action was not successful. This may mean that a risk is active on the endpoint so please visit the machine run a full scan in safe mode with latest defs check if that reoccurs.

Details Pending

Details are not yet available about this action.

Explanation of Action field values

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2006112010562148

I have seen still infected when a threat is detected in cdrom or pendrive or network share and symantec is unable to take any action on it.