Clean infected PCs utilizing Symantec Endpoint Protection Manager 11

Posted on 2009-04-21
Medium Priority
Last Modified: 2013-12-09
Hello gang and as always thanks for your time and expertise.
Here's my question.
I work in an office with hundereds of pcs.  I recently deployed the symantec 11 client via the symantec enpoint protection manager server.  Everything seems to be working fine.  All the clients showed up and are receiving their virus definitions.  In addition, the console indicated that mutliple pcs are still infected with viruses.  My question is is there a way for me to clean these pcs from a centralized location i.e. the console.  The console has obviouosly detected the virus on these pcs - now I would like to delete or clean the virus from the console.  Is this not possible or am I missing something?  My action summary shows 357 viruses quanartined (this place was way behind in terms of virus protection) and 127 pcs still infected.
Again, my question is can I clean these pcs from the console or do I have to go around do all of these pcs and clean them manually.  Apprecaite as always your time and help.
Question by:pendal1
  • 3
  • 2
  • 2
  • +3

Accepted Solution

BillCarlin earned 600 total points
ID: 24197680
Under your AV/AS policy you can set the cleanup action on the Quarantine tab. If it is a concern, remove the quarantined files after x-days and delete files after 1 day. Under the Actions tab on File System auto-protect you can clean, delete, or quarantine there.  You also have settings available in the TruScan Proactive if you are using that as far as what to do when a scan detects.  On a side note, trying to clean up that environment, I would delete reather than try to clean and not allow scans to be cancelled by end users.  You might want to set up notification pop ups identifying infected machines to allow for more visibility.  Might cause end user inconvenience for a short time, bu would bring awareness of your uphill battle.
Good Luck

Author Comment

ID: 24198132
Thanks for the info.  I guess my question now is does the still infected computers actually mean those computers are still actively, real-time infected as I write this.  I checked all those settings you gave me and made some modifications.  What would you do about the still infected computers?  127 are listed.  Thanks for your time and expertise.

Assisted Solution

Maeros earned 600 total points
ID: 24198511
You can force a scan by right-clicking the computers in question and select "Scan" in the Symantec Endpoint Protection Manager.

As for the computers showing as infected, Symantec Endpoint Protection Manager does not remove the "infected" flag from the computers automatically - you have to manually clear the flag yourself.  To do this go to Monitor -> Logs -> Log Type: Computer Status (default filter), and click View Log -> highlight computer in question and click on "Clear Infected Status".  
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Expert Comment

ID: 24198545
Good point Maeros.  I would remove the infected flag prior to scanning as you should get a more accurate count that way.

Assisted Solution

Gihan_Jay earned 400 total points
ID: 24211141
Im note sure if this will fix the issue that you are having but I sure hope it will help you to go on the right path.

To enable submission of quarantined items to a Quarantine Server perform the following steps:

  1. In the Symantec Endpoint Protection Manager go to the client group's policy tab.
  2. Open the AntiVirus and AntiSpyware Policy page Click Submissions.
  3. Under "Quarantined Items", check Allow client computers to automatically submit quarantined items to a Quarantine Server.
  4. Type the name of the Quarantine Server. Type the port number to use, and then select the number of seconds to retry connecting.
  5. Click OK

    Note: The port used should be the same port number which has been configured as the listening port on the Central Quarantine Server.


Author Comment

ID: 24215661
Thanks guys.  I cleared a bunch of the flagged infected computers and will initiate some scans and see if these guys show up again.  I've checked a few pcs and the status of the virus protection shows no problems and the malware/viruses effectively quarantined.  I just wish the virus protection knew the pc was under control and not actively infected  and so removed the pc itself fromo the still infected group.  That would make life easier and it would require less hands-on admin.  I will close this ticket either today or tomorrow.  Thank you.

Expert Comment

ID: 24233982
Symantec's "reasoning" towards the manual flag removal was to force administrators to not only be aware of issues but to take action.  You definitely are right, it is surely a pain to have to do it manually, especially if you are managing many workstations.  Luckily it doesn't bother you if they are low risk detections.

A number of administrators have been vocal about it with Symantec, and hopefully they will eventually change this policy in a future update.

Assisted Solution

bRvO earned 400 total points
ID: 24240659
Hi ,

You need to clean the infected status from the machine manually to stop it reporting as infected.

Monitors | Logs | Computer Status .. Select a Time range.

View Log.

A list of all machines will be presented . Any that have a Green Diamond next to them are Ok. highlight any with a red diamond ( that you know is no longer infected ) and select Clear Infected Status.


Author Closing Comment

ID: 31572947
Thanks very much for your time and expertise.  The help is greatly appreciated.

Expert Comment

ID: 24389553
I do almost the same thing, but before you click "view log", click advanced settings, click compliance options and check infected only.  Then run the report.  Should only show the infected PC's.  You can save the report as well.

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question