Action field values for Endpoint Protection 14
search cancel

Action field values for Endpoint Protection 14

book

Article ID: 151266

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You view information about virus detection or risk detection and you need to know what the entry in the "Action" field means.

Resolution

The following table describes the different values that can appear in the Action field in Symantec Endpoint Protection.

Action Description
Access denied View events where the Auto-Protect portion of Symantec Endpoint Protection prevented a file from being created.
Action invalid View events where the action was taken was invalid. These risks may still be present on the computer.
All actions failed or failed to repair View events where both the primary action and the secondary action that is configured for the risk cannot be carried out for some reason.
Bad View events where scan engine failure occurred for an unspecified reason. These risks may still be present on the computer.
Cleaned View events where the software cleaned a virus from the computer.
Cleaned by deletion View events where the action configured was "clean," but a file was deleted because that was the only way to clean it. For example, this action is generally needed for Trojan horse programs.
Cleaned or macros deleted View the events where a macro virus was cleaned from a file either by deletion or some other means. This action applies only to events that have been received from computers running Symantec AntiVirus 8.x or earlier versions.
Deleted or removed View the events where the software deleted an object, such as a file or a registry key, to remove risk.
Excluded View the events where users chose to exclude a security risk from detection. For example, this action can occur when a user is prompted for permission to terminate a process.
Left alone Specifies the events where the risk was left alone. This action can occur if the first configured action is Leave alone. This action can also occur if the second configured action is Leave alone and the first configured action is not successful. This action may mean that risk is active on the computer.
No repair available View the events where the risk was detected but no repair is available for the side effects of this risk.
No repair available - Power Eraser recommended for repair View the events where a scan could not repair the side effects of certain detections. You should run Power Eraser on the computers where these events occur. After Power Eraser detects the threat, you must manually initiate the repair.
Partially repaired View the events where Symantec Endpoint Protection cannot completely repair the effects of a virus or security risk.
Pending repair or Pending admin action View the events where a user or administrator should take action to complete the remediation of a risk on a computer. For example, the Pending repair action might occur if a user hasn't responded to a prompt to terminate a process. Pending admin action occurs when Power Eraser requires the administrator to perform some action from the logs in the console.
Process terminated View the events where a process had to be terminated on a computer to mitigate risk.
Process termination pending restart View the events where a computer needs to be restarted to terminate a process to mitigate risk.
Quarantined View the events where Symantec Endpoint Protection quarantined a virus or a security risk.
Restored View the Power Eraser events that the administrator deleted but then chose to restore.
Suspicious View the events where a SONAR scan detected a potential risk but has not remediated it, either because it cannot or because you have configured it to only log detections.
Threat blocked - Power Eraser recommended for repair View the events where a scan detected and blocked a threat but did not remove or repair any files. You should run Power Eraser on the computers where these events occur. After Power Eraser detects the threat, you must manually initiate the repair.
Restart required - Quarantined View the events that require a restart after scans quarantine risks.
Restart required - Cleaned View the events that require the client computer to restart after scans clean the risks.
Left alone by Admin View the Power Eraser events that the administrator reviewed but chose to leave alone and not remediate. Note that this event action is not sent to the client. The corresponding event on the client in the client log view continues to show the event action as "Pending analysis."
Moved Back Detected file was moved from quarantined folder to the original location manually. In certain scenarios "Moved back" can indicate that the file is moved back to quarantine again post cleaning failure. Typically, when new definition arrives, the quarantine is re-scanned for possible fix/cleaning. If the fix/cleaning is not achieved the file is moved back to quarantine again.