Endpoint Protection

I have several clients reporting this message back every several days or so:

"Symantec Endpoint Protection detected risks while you were logged out. You may need to open the Antivirus and Antispyware Protection Risk Log to view and take action on the risks."

However when I look at the quarantine and the logs on these computers, nothing appears in them. Scans pick up nothing as well.

I went in and temporarly disabled the risk notifications on the client, but to me this is just a workaround until I resolve this issue. I want to know why Symantec is claiming it detected risks but the risks in question do not show up in any log or quarantine.

No one has run into this issue?

I'm getting this too, althought it's only on a few machines and I can't figure out that they have anything in common.  I'm hoping someone knows how to stop this.  It's not causing major problems but it is really annoying.  Thanks

Sutton

I have been working with Symantec Tech Support on this and we have a theory. Apparently they found my logs some ping of death attacks that are being blocked by Endpoint, which in turn could cause the risks detected when logged off pop-up.

We are still trying to figure out if it is a false positive or if there is actually something cause them. I am personally leaning towards a false positive.

I'm sure you may have tried this already... I tried reinstalling SEP on 1 of the 2 machines that were having this issue and I haven't seen the pop-up since.

Sutton

How about the info on the SEPM server does it display any risks detected on that computer?

SEPM shows no risks detected and none of the client logs show anything. That is the weird part about this. We simply cannot find what could be causing this. The ping of death thing I mentioned above? Turns out it is a false positive, from a diagnostic tool Symantec sent me to run on these machines in an attempt to find out what was going on. The damn tool tiggered these ping of death alerts that showed up in the logs it collected!

I'm getting to the point where we may just use CleanWipe on the machines with this issue. But I would prefer fixing this so it won't happen in the future.

Hi can you give us more info, version of SEPM, a little backgroud on your network? corporate fw? etc..

Just started seeing this on my network.  Seemed to correspond with virus TrojanfakeAValert....

Maybe this is the Fake Alert?????

Have 1 client showing this.  Started after SEP blocked/deleted an infected PDF from the internet a couple of days ago.

Full scan in Safe Mode as Admin turns up nothing except one tracking cookie that it then deleted.  Logging the user in and out doesn't show it - only after it's been left on with her logged out all night.

Running the latest MR4, 11.0.4014.26.

My hardware perimiter firewall blocks any incoming pings.

Nothing I can find in her SEP or Windows logs.

XP SP3.

SEPM doesn't show anything.  I believe.  I'm still finding it hard to find everything in there.  I checked the notifications for the past 12 hours and nothing.  I checked the Security Status report and nothing.

Started seenig this message after coming back to work on my own machine.  No entries in logs, or quarantine.  No sign of any problems, just an annoying message a couple of times each week.

Please scan the client under safe mode.

Even I've had this issue a few times on my system.

Seems that SEP terms even the setup for NESSUS or NMAP and ther such network mapping and troubleshooting tools as threats. A really WAG False Positive as I'd term it, and then quarantines the setup files.

So I went and excluded the folders where I'd stored the installables and VIOLA, the issue was gone.

 I'm running SEP 11.0.2000.1567. Every time a nightly scan is performed when no one is logged in I get the same message described in the original post upon signing back in. The risk log is always empty and the SEP Manager Console doesn't indicate any issues.

I encountered the same issue about the notification on my system tray, It prompt our end user "Symantec Endpoint Protection detected risks while you were logged out. You may need to open the Antivirus and Antispyware Protection Risk Log to view and take action on the risks." you can see this near on the system tray, some user have panic with this prompt, thanks god most of the end user are non it related, so they accept what we have explained. But the thing is why this prompt display even without risk detected? can you give me a procedure on how to disable the notification. As far as I know I have disbled all of the notification option found in the SEPM

I have been seeing this problem now on one of my clients. They are running 11 MR5

Did anyone ever figure out what causes this to occur and how to resolve the issue?

If any of you have a better suggestion, let me know.

as this is not the perfect way to do this, but at least clients won't freak-out :)

I changed this line in registry

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\SMC]
"LaunchSmcGui"=dword:00000000

So basically this prevent GUI-tray icon to load.

Because I use the console most of the time. and SEP is still running and you can still manually launch the GUI.

Hope it helps !
:)

Any one got better suggestion ?

How to Turn off Display Notifications about detections when the user logs on
https://www-secure.symantec.com/connect/forums/front-end-pop-users-how-turn-it 

I am running 11 MR 5 and seeing this so it has not been resolved but still exist as a problem.

I also do not see anything in that options for auto-protect to turn off just that one pop up box, all I see the setting to turn off all notifications which I do not want to do. I want the people to see if that they gotten a virus. Turning off just that notice itself would be fine I guess, but that doesn't actually solve the problem, you are ignoring the fact that it is there. It seems like for the past few problems I have had the solution is always to turn off featuers or options.

I hope the next version if far more usable than 11 is.

Hope for the Best !! :)

...brought to my attention, upon checking out found that "Arugizer" trojan infected arucer.dll
deleted from quarantine, updated, ran full scan- clean, message has not come back yet.
Strange thing, when the user logs on and gets the popup stating Risks detected while logged off, her mouse stops working and she has to restart.

Has anyone found a resolution to this issue yet? 

As far as i know the only solution is the turn off all the notifications so that the end user is never told that they have a virus. That isn't actually a fix, but just a way to hid the notice from coming up.

We have Disabled this notification  as it panic the End Users.


Regards...
Ramji Iyyer

Do you mean just the a risk has been found when you were logged off, or all notifications? A legit notice should panic them. Unless I am the only one that thinks so, it is good for the end user to know that the email they just opened had a virus attached or that the site they went to just tried to install a virus, or that the link their friends sent them via facebook was really a virus. that way once it happens to them at work, they wont' go home and try to do the same thing.

They get a link from a friend via facebook, try to play it at work and nothing happens and nothing pops up, they assume that the company is just blocking stuff and then go home and try to run it. then they infect their home computer.

I myself left everything in enabled and will just check to see if anything was found overnight when any of the computers go on their few day glitch and popup the false message about the risk being found. I would rather deal with a few fake alerts for a few days than not have a person know when they have a legit virus found on their machine.

Ramji, can you disable only that notidication? or will it disable all other notifications?

Dan, its just this one pop up alert, with the message listed above, and it happens every day when the user logs on. It does not go away, it has been going on for months.