What you should know before you run Power Eraser from the
Symantec Endpoint Protection Manager
console

Power Eraser provides aggressive scanning and analysis to help resolve issues with heavily infected Windows computers. Because Power Eraser analysis is aggressive, it sometimes flags the critical files that you might need. Power Eraser can produce more false positives than virus and spyware scans.
You should run Power Eraser only in emergency situations, such as when computers exhibit instability or have a persistent problem. Typically, you run Power Eraser on a single computer or small group of computers. You should not run other applications at the same time. In some cases, a regular scan event alerts you to run a Power Eraser analysis.
Differences between using Power Eraser from
Symantec Endpoint Protection Manager
or locally with the SymDiag tool
You can run Power Eraser remotely from the management console on your Windows clients.
Symantec Endpoint Protection
does not include an option to launch Power Eraser directly from the client. However, a user on the client computer can download the SymDiag tool and run Power Eraser from the tool.
  • If you use the SymDiag tool, Power Eraser detections do not appear in the
    Symantec Endpoint Protection Manager
    logs.
  • When you run Power Eraser from the console, Power Eraser does not examine the user-specific load points, registrations, and folders that the SymDiag tool examines.
Make sure that you do not run Power Eraser from the console and locally with the SymDiag tool at the same time. Otherwise, you might negatively affect the computer performance.
Power Eraser consumes a large amount of computer resources. Power Eraser files can also consume a large amount of space on the computer if you run Power Eraser on a computer multiple times. During each analysis, Power Eraser saves detection information in the files that it stores in the Symantec Endpoint Protection application folder. The files are purged when the client purges the logs.
How Power Eraser is different from virus and spyware scans
Power Eraser is different from regular scans in the following ways:
  • Unlike a full scan, Power Eraser does not scan every file on the computer. Power Eraser examines load points and load point disk locations as well as running processes and installed services.
  • Power Eraser detections do not appear in the Quarantine.
  • Power Eraser takes precedence over virus and spyware scans. When you run Power Eraser,
    Symantec Endpoint Protection
    cancels any virus and spyware scan in progress.
  • Power Eraser does not automatically remediate detections. You must review the detection list in the Scan log or Risk log and select an action from the log. You can choose to remove the detection or mark the detection as safe (leave alone). You can also restore (undo) a removed detection.
Power Eraser can run in regular mode or in rootkit mode. The rootkit mode requires a restart before the scan launches. Also, if you choose to remove any Power Eraser detection, the computer must be restarted for the remediation to complete.
Overview of the high-level steps that you perform when you need to run Power Eraser
You perform two high-level steps when you run Power Eraser from the console:
  • Start a Power Eraser analysis on one computer or a small group of computers. Power Eraser does not automatically remediate any detections because of the potential for false positives.
  • Use the Risk log or Scan log to review Power Eraser detections and manually request that Power Eraser remove any detections that you determine are threats. You can also acknowledge the detections that you want to ignore and leave alone.
Review the workflow for details about how to run Power Eraser from the console and how to make sure that you configure the console settings correctly. See:
Overview of the
Symantec Endpoint Protection Manager
policy settings that affect Power Eraser
The following are the policy settings that affect Power Eraser:
  • Scan settings for user interaction
    When you let users cancel any virus and spyware scan, you also let them cancel any Power Eraser analysis. However, users cannot pause or snooze Power Eraser. See:
  • Exceptions policy
    Power Eraser honors the following virus and spyware exceptions: file, folder, known risk, application, and trusted web domain. Power Eraser does not honor extension exceptions. See:
  • Log retention settings
    You can take action on Power Eraser detections as long as the detections appear in the logs. The logs are purged after the period of time that is specified in the Virus and Spyware Protection policy. By default, log events are available for 14 days. You can modify the log retention setting, or after the events expire, you can run another scan and re-populate the logs. See:
  • Restart options
    You can configure the restart settings specifically for rootkit analysis when you choose to run Power Eraser in rootkit detection mode. The administrator must have restart privileges. After you choose to remove a Power Eraser detection, the computer uses the group restart settings. Power Eraser does not use the rootkit restart settings to restart and complete a remediation. See:
  • Reputation queries
    Power Eraser uses the Symantec Insight server in the cloud when it scans and makes decisions about files. If you disable reputation queries, or if the client computer cannot connect to the Insight server, Power Eraser cannot use Symantec Insight. Without Symantec Insight, Power Eraser makes fewer detections, and the detections it makes are more likely to be false positives. Reputation queries are enabled when the
    Allow Insight lookups for threat detection
    option is enabled. The option is enabled by default. See:
  • Submissions
    Symantec Endpoint Protection
    sends the information about Power Eraser detections to Symantec when the
    Antivirus detections
    option is enabled. The option is enabled by default. See:
More information