Kenny Riley
asked on
Symantec Endpoint Protection Cloud - Detected Threats on Non-Existent Drive
A customer is receiving the following threat detections on a particular PC using Symantec Endpoint Protection Cloud. Turns out they purchased licenses for this product through CDW 6 years ago and do not have an active support agreement with Symantec so going directly to them for this isn't an option unfortunately.
Resolved Threats:
No risks have been resolved
Unresolved Threats:
Trojan.Gen.MBT
Type: Anomaly
Risk: High (High Stealth, High Removal, High Performance, High Privacy)
Categories: Virus
Status: Remove Failed
-----------
1 Infected File
D:\DHL_Label_Scan _ June 19 2019 at 2.21_06455210_PDF.exe - Failed
1 Browser Cache
Heur.AdvML.C
Type: Anomaly
Risk: High (High Stealth, High Removal, High Performance, High Privacy)
Categories: Heuristic Virus
Status: Remove Failed
-----------
1 Infected File
D:\DHL_Label_Scan _ June 19 2019 at 2.21_06455210_PDF.exe - Failed
1 Browser Cache
The problem here is, there is no CD/DVD in the optical drive and there is no Drive D: on the machine at all for that matter -- see attachment. I do recognize the filename as it was an attachment included in a spam email that was never opened and has since been deleted from the end users mailbox.
Any ideas on how to clear these alerts?.. I've cleared the cache on the machine, deleted temp files in Windows, ran full scans with Symantec that come back "clean" but as soon as you reboot, the threat detection pop ups come back.
Thanks-
st2.png
pieceofshit.png
Resolved Threats:
No risks have been resolved
Unresolved Threats:
Trojan.Gen.MBT
Type: Anomaly
Risk: High (High Stealth, High Removal, High Performance, High Privacy)
Categories: Virus
Status: Remove Failed
-----------
1 Infected File
D:\DHL_Label_Scan _ June 19 2019 at 2.21_06455210_PDF.exe - Failed
1 Browser Cache
Heur.AdvML.C
Type: Anomaly
Risk: High (High Stealth, High Removal, High Performance, High Privacy)
Categories: Heuristic Virus
Status: Remove Failed
-----------
1 Infected File
D:\DHL_Label_Scan _ June 19 2019 at 2.21_06455210_PDF.exe - Failed
1 Browser Cache
The problem here is, there is no CD/DVD in the optical drive and there is no Drive D: on the machine at all for that matter -- see attachment. I do recognize the filename as it was an attachment included in a spam email that was never opened and has since been deleted from the end users mailbox.
Any ideas on how to clear these alerts?.. I've cleared the cache on the machine, deleted temp files in Windows, ran full scans with Symantec that come back "clean" but as soon as you reboot, the threat detection pop ups come back.
Thanks-
st2.png
pieceofshit.png
Have you removed it from SEP's quarantine?
ASKER
I haven't -- I'm not seeing an intuitive way of doing this either from the client itself or from the Endpoint Protection Cloud portal.
Does this help?
https://support.symantec.com/us/en/article.howto80950.html
https://support.symantec.com/us/en/article.howto80950.html
ASKER
Unfortunately not -- those articles appear to apply to the Endpoint Protection product rather than the Endpoint Protection Cloud product. There doesn't appear to be any documentation that I can locate that applies to the Endpoint Protection Cloud product on how to clear the quarantine on a particular machine.
However I did locate an option to take action on the threats detected on the client machine and attempt to try and delete the file but it won't let me do so because it says D:\ is write protected. But how can D:\ be write protected if D:\ doesn't even exist?
See attached.
write.png
However I did locate an option to take action on the threats detected on the client machine and attempt to try and delete the file but it won't let me do so because it says D:\ is write protected. But how can D:\ be write protected if D:\ doesn't even exist?
See attached.
write.png
Seems with the SEP Cloud you need to have Symantec Central Quarantine installed and you manage the quarantined files through there.
There's meant to be online help once you're logged in ...
https://support.symantec.com/content/unifiedweb/us/en/article.DOC4336.html
Is the manual for it.
D:\ is likely a virtual drive that SEP is using for storage so the file is locked by the AV for safety
There's meant to be online help once you're logged in ...
https://support.symantec.com/content/unifiedweb/us/en/article.DOC4336.html
Is the manual for it.
D:\ is likely a virtual drive that SEP is using for storage so the file is locked by the AV for safety
ASKER
Thanks for the reply MASQ -- however, it looks like the Central Quarantine Server only applies to the non-cloud based SEP products:
https://support.symantec.com/us/en/article.tech182071.html
Additionally, if D:\ is write protected -- one would think it would still show up in DISKPART by executing list disk, no?
https://support.symantec.com/us/en/article.tech182071.html
Additionally, if D:\ is write protected -- one would think it would still show up in DISKPART by executing list disk, no?
That's strange, I referenced it as it appears in the Cloud Services Guide for SEP.
Pretty sure "D:" is referencing the quarantine though - here's a similar thing happening in Kaspersky
https://forum.kaspersky.com/index.php?/topic/216966-kis2011-detects-virus-in-non-existent-drive/
& if this is purely virtualised within SEP it won't appear in Explorer or diskmgmt
Pretty sure "D:" is referencing the quarantine though - here's a similar thing happening in Kaspersky
https://forum.kaspersky.com/index.php?/topic/216966-kis2011-detects-virus-in-non-existent-drive/
& if this is purely virtualised within SEP it won't appear in Explorer or diskmgmt
ASKER
Thanks MASQ -- I know you're only trying to help, but if I seriously have to sift through a 400 page PDF on deploying some third party addon just to empty a quarantine, then my time would be better spent just uninstalling this trash and installing something like Bit Defender :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.