Tasks to perform when you need to run Power Eraser from the
Symantec Endpoint Protection Manager
console

Typically you need to run a Power Eraser analysis when the Risk log shows a failed repair and recommends that you run Power Eraser. You also might run Power Eraser when a computer becomes unstable and appears to have malware or a virus that cannot be removed.
Use Power Eraser carefully. The analysis is aggressive and prone to false positives.
For more information, see:
You can run Power Eraser from
Symantec Endpoint Protection Manager
on Windows client computers only.
Power Eraser runs in one of two modes: without rootkit detection or with rootkit detection. The rootkit detection analysis requires a restart. The administrator must have restart privileges to run Power Eraser with rootkit detection.
Tasks to perform when you need to run Power Eraser from the
Symantec Endpoint Protection Manager
console
Task
Description
Set administrator privileges to run Power Eraser
To run Power Eraser on client computers, administrators must have the following command access rights:
  • Start Power Eraser Analysis
  • Restart Client Computers
    (required to run Power Eraser with rootkit detection)
For more information, see:
Set the log retention policy
The log retention setting affects how long the events are available for you to perform the Power Eraser remediate and restore actions. You can modify the log retention setting if you want more time to consider these actions. Alternately, you can run Power Eraser again to re-populate the logs.
The log retention setting is part of the miscellaneous options in the Virus and Spyware Protection policy. See:
Make sure that your clients have Internet connectivity
Your client computers require Internet access so that Power Eraser can use Symantec Insight reputation data to make decisions about potential threats.
Intermittent or non-existent Internet access means that Power Eraser cannot use Symantec Insight. Without Symantec Insight, Power Eraser makes fewer detections, and the detections it produces are more likely to be false positives.
Start a Power Eraser analysis on a client computer from
Symantec Endpoint Protection Manager
Choose whether to run Power Eraser in regular mode or rootkit mode.
You can issue the Power Eraser command from several places in
Symantec Endpoint Protection Manager
:
  • Clients
    page
  • Computer Status log
  • Risk log
A user on the client computer cannot run Power Eraser directly from the client user interface. Power Eraser is available as part of the SymDiag tool. However, if a client user runs the tool, the resulting logs that include Power Eraser detections are not sent to
Symantec Endpoint Protection Manager
.
For more information, see:
You can view the status of the command in the Computer Status log. You can filter the log so that only Power Eraser commands appear for ease of viewing.
After you run Power Eraser, you view the results in the Scan log or the Risk log. The Scan log shows whether or not scan results are pending.
Cancel a Power Eraser command or action on a client computer
To cancel the Power Eraser command, use the Command Status log.
You cannot cancel Power Eraser running in rootkit mode after the restart prompt appears on the client computer. After the restart, only the computer user can cancel Power Eraser if the Virus and Spyware Protection policy lets users cancel scans.
If you cancel the Power Eraser command, you also cancel any pending actions that are associated with any Power Eraser analysis, including any remediation or undo actions.
For more information, see:
View Power Eraser detections from the logs
You can view Power Eraser detections from the following logs in
Symantec Endpoint Protection Manager
:
  • Scan log
    The Scan log has a
    Scan type
    filter to display only Power Eraser results. The view also indicates whether or not scan results are pending. You can select
    Detections
    in the filtered view to display the
    Power Eraser Detections
    view.
  • Risk log
    The Risk log provides a similar filter for Power Eraser detections. However, the Risk log does not show whether or not scan results are pending.
  • Computer Status log
    The Computer Status log might include report icons in the
    Infected
    column. The event details icon links to a report that shows all current threats that cannot be remediated. The report includes log-only detections and unresolved detections. The report might recommend that you run Power Eraser on some computers.
    A Power Eraser icon links to a report that shows any Power Eraser detections on the computer that require administrator action.
    These icons also appear in the
    Health State
    column on the
    Clients
    page.
For more information, see:
Check for the notifications that recommend that you run Power Eraser on client computers
By default, the administrator receives a notification when a regular scan cannot repair an infection and Power Eraser is recommended. You can check for the
Power Eraser recommended
notification on the
Monitors > Notifications
page. See:
View Power Eraser detections on the
Command Status
page
You can access reports about Power Eraser detections on the
Command Status
page.
An event details icon appears in the
Completion Status
column. The icon links to a report that shows information about detections that were made by the
Start Power Eraser Analysis
command and any other scan command.
The command status details option gives you information about a particular scan. You can click on the event details icon to get information about a particular client computer. See:
View Power Eraser detections from the Clients tab
You can access reports about Power Eraser detections from the
Clients
tab on the
Clients
page.
Report icons appear in the
Health State
column if information is available. The event details icon links to a report that shows all current threats that cannot be remediated. The report includes any Power Eraser detections.
A Power Eraser icon links to a report that shows any Power Eraser detections on the computer that require administrator action.
The icons also appear in the Computer Status log.
For more information, see:
Remediate or restore Power Eraser detections from the Scan log or Risk log in
Symantec Endpoint Protection Manager
Unlike other
Symantec Endpoint Protection
scans, Power Eraser does not automatically remediate detected threats. Power Eraser analysis is aggressive and might detect many false positives. After you determine that the detection requires remediation, you must initiate a remediation manually.
You can also undo (restore) a Power Eraser detection that you remediated.
For more information, see: