Endpoint Protection

 View Only

  • 1.  SEPM daily report contains an item that requires intervention

    Posted Feb 21, 2014 03:59 PM

    Now what? What is the best way to handle these things, remotely if possible.

     

    Let's start with the obvious, and either get the user to run a full scan, or trigger one yourself from the Console. Let's say the machine pops up again in a day or so: maybe the same item, maybe another item such that you think there's still a resident infection(s).

     

    What are your options from here? Which tools are suggested, in order? What's the difference between SymHelp/PowerEraser and SymERT?

     

    I would definitely read up any links provided, but in a more common language, how do you proceed?

     

    Currently using 12.1 RU4 on SEPM with a mix of 12.1 RU2 and greater clients, both PC and Mac. Thanks for any help.



  • 2.  RE: SEPM daily report contains an item that requires intervention
    Best Answer

    Posted Feb 21, 2014 04:02 PM

    Where is the location of the infected file? What action is SEP taking on it, it keeps coming back?

    I would certainly run symhelp and/or power eraser

    SEP used to be able to scan in safe mode but this was changed in an early version of 12.1, power eraser can now be used.

    Symhelp can do a load point analysis while power eraser can handle more aggressive/unknown malware. SERT is basically a "live CD" which uses same defs as SEP.

    Submit virus samples here:

    http://www.symantec.com/security_response/submitsamples.jsp

    Good reading here:

    Security Response recommendations for Symantec Endpoint Protection 12.1 settings

    Security Response recommendations for Symantec Endpoint Protection settings

    Security Best Practice Recommendations



  • 3.  RE: SEPM daily report contains an item that requires intervention

    Posted Feb 21, 2014 04:08 PM

    They all are same

    Power-eraser is / was used by Nortan , can be used with Symantec ( Consumer edition), requires internet connection

    SERT ( is for enterprise) Both do the same job.( does not need internet to run)

    If scan completes and still the infected... the infection might be quarantined and needs new defs from Symantec. 

    You can submit the samples and get the defs released by Symantec.

    https://submit.symantec.com/websubmit/gold.cgi

    SymHelp is a diagnostic tool which helps during installation / product issues. Nothing to do with virus cleaning...

    Diff between Power eraser / SERT

    https://www-secure.symantec.com/connect/forums/what-difference-between-sert-and-power-eraser



  • 4.  RE: SEPM daily report contains an item that requires intervention

    Posted Feb 22, 2014 04:32 PM

    If you have a stubborn infection PowerEraser (which is part of SymHelp) is the way to go. But keep in mind that it is more aggressive than the common SEP antivirus engine. Therefore, it's prone to false positives.

    SERT is a normal scanner with the common definitions, but it will be started from a Live CD. So it's able to repair computers being infected with ransomware or similar stuff that does not allow the PC to start from disk.



  • 5.  RE: SEPM daily report contains an item that requires intervention

    Posted Feb 24, 2014 11:47 AM

    Thanks for explanation all.

     

    This was more of a hypothetical, on how to best use the tools, though in the last year we have seen a spike in infections. We typically just run a malware scan, then nuke/pave if the machine pops up again. My company does a lot of research, so data retention is paramount. This, of course, adds extra headaches in these scenarios, so I was looking for a "best way" to approach. Thanks again.



  • 6.  RE: SEPM daily report contains an item that requires intervention

    Posted Feb 24, 2014 11:48 AM

    Glad to help!

    Take care,
    Brian