Removing viruses and security risks

You remediate risks as part of handling virus and spyware attacks on your computers.
You use the Reports and Monitors features in the console to determine what computers are infected and to view the results of remediation.
Removing viruses and security risks
Step 1: Identify infected and at-risk computers
You can get information about infected and at-risk computers from
Symantec Endpoint Protection Manager
. On the Home page, check the Newly Infected and the Still Infected counts in the Virus and Risks Activity Summary. The Newly Infected count is a subset of the Still Infected count. The Newly Infected count shows the number of infected and at-risk computers during the time interval that you specify in the summary.
Unremediated SONAR detections are not counted as Still Infected. They are part of the Suspicious count in the summary.
Computers are considered still infected if a subsequent scan detects them as infected. For example, a scheduled scan might partially clean a file. Auto-Protect subsequently detects the file as a risk.
Files that are considered "still infected" are rescanned when new definitions arrive or as soon as the client computer is idle. See:
Step 2: Update definitions and rescan
You should make sure that clients use the latest definitions.
For legacy clients that run on Windows computers, you should also make sure that your scheduled and on-demand scans use the Insight Lookup feature. As of 14, scheduled and on-demand scans always use Insight Lookup.
You can check the definitions date in the Infected and At Risk Computers report. You can run the Update Content and Scan command from the Risk log.
When the Virus and Risks Activity Summary on the Home page shows the Still Infected and the Newly Infected counts are zero, then all risks are eliminated. See:
Step 3: Check scan actions and rescan
Scans might be configured to leave the risk alone. You might want to edit the Virus and Spyware Protection policy and change the action for the risk category. The next time the scan runs,
Symantec Endpoint Protection
applies the new action.
You set the action on the
tab for the particular scan type (administrator-defined or on-demand scan, or Auto-Protect). You can also change the detection action for Download Insight and SONAR. See:
Step 4: Restart computers if necessary to complete remediation
Computers may still be at risk or infected because they need to be restarted to finish the remediation of a virus or security risk.
You can view the Risk log to determine if any computers require a restart.
You can run a command from the Computer Status log to restart computers. See:
Step 5: Investigate and clean remaining risks
If any risks remain, you should investigate them further.
You can check the Symantec Security Response webpage for up-to-date information about viruses and security risks. See:
On the client computer, you can also access the Security Response website from the scan results dialog box.
You can also run Power Eraser from
Symantec Endpoint Protection Manager
to analyze and remediate difficult, persistent threats. Power Eraser is an aggressive analysis that you should run on one computer or a small number of computers only when the computers are unstable or heavily infected. See:
Symantec Technical Support also offers a Threat Expert tool that quickly provides detailed analysis of threats. You can also run a load point analysis tool that can help you troubleshoot problems. You run these tools directly on the client computer. See:
Step 6: Check the Computer Status log
View the Computer Status log to make sure that risks are remediated or removed from client computers. See:
More information