This option is enabled by default. You can disable this option to allow scheduled scans to run as scheduled, even when a computer is running on batteries.

By default, user-defined scheduled scans always run at the scheduled time. This option can be particularly useful in the case of unmanaged client computers that do not use administrator-defined scheduled scans.

You can disable this option to prevent user-defined scheduled scans from running when the user who created the scan is not logged on. You may want to disable this option for multiuser computers.

Note! If this option is enabled and the user is logged off when the scan begins, the scan progress dialog box does not display. You can check scan status in this instance by looking in the System log.

On multiuser workstations, when this option is enabled, scan progress is displayed as follows:

• If no users are logged in, the scan progress dialog box does not appear, even if a user logs in during a scan.
• For the first user to log in, the scan progress dialog box does not appear during a scheduled scan that another user defined.
• For the first user to log in, the scan progress dialog box appears during a scheduled scan that this user defined. The scan progress dialog box does not appear if the user has not configured the scan to allow it.
• If an administrator-defined scheduled scan runs when no user is logged in, the scan progress dialog box does not appear . When a user logs in, the scan progress dialog box appears.

Users who are not logged in when their scan runs must look at the Scan Log to see the scan results.

You can disable startup scans on a global basis only. If you disable this option, you disable all startup scans, including any custom startup scans that users have configured.

This option is enabled by default. This option is only available when the Run startup scans when users logs on parameter is enabled.

By default, an Active Scan is run when new definitions arrive. If you disable this option, you weaken the protection available to your client computers. You should only disable this option if you have special configuration or exclusion needs that conflict with this automatically triggered scan.

This option is enabled by default.

Select one of the following:

• Do not show scan progress
• Show scan progress
• Show scan progress if risk detected

This option becomes available when you select Show Scan progress.

This option becomes available when you select Show Scan progress.

This option to delay a scan becomes available when you select Show Scan progress.

By default, Auto-Protect is enabled.

The following options are available:

• Scan all files

  Scans all files on the computer, regardless of type.

• Scan only selected extensions

  Scans only the files that have certain extensions. You can add more extensions for programs and documents, if you have the files that use the extensions that are not already in the list. You can also reset this option to its default value.

• Determine file types by examining file contents

  Scans a specific, configurable group of the file extensions that contain executable code, and all .exe and .doc files. The Symantec Endpoint Protection client reads each file's header to determine its file type. It scans .exe and .doc files even if a virus changes the file extensions for the .exe and the .doc files. This option is disabled by default.

You can add or remove file extensions to scan. Only the file extensions that you specify are scanned. The client does not scan any files that have extensions that are not in the list.

Note! If you want to exclude files or directories from scans, create a centralized exception. The exception applies to all antivirus and antispyware scans that you run.

• Scan for security risks

  This option is enabled by default.
  Note! This option has no effect on the computers that run earlier versions of the client.

• Block security risks from being installed
  
  • If Auto-Protect determines that it would not be harmful to a computer to block a security risk, then it blocks the risk.

• Network

  Enables or disables scanning on network drives

• Network Settings

  When scanning is enabled on network drives, Auto-Protect scans files when a client computer or a server accesses them from a server. When network scanning is enabled, you can also enable Auto-Protect to trust remote versions of Auto-Protect and to use a network cache.

Non-macro virus

Actions for viruses include the following:

• Clean risk (default first action): Tries to clean the infected file when a virus is found.
• Quarantine risk (default second action): Tries to move the infected file to the Quarantine on the infected computer as soon as it is detected. After an infected file is moved to the Quarantine, a user on that client computer cannot run the file. The user must first specify an action for the file. For example, the user can specify that the client should clean the file and move the file back to its original location.
• Delete risk: Tries to delete the file. Use this option only if you can replace the infected file with a virus-free backup copy. The file is permanently deleted and cannot be recovered from the Recycle Bin.
  • If the client cannot delete the file, detailed information about the action appears in the notification dialog box and the System log.
• Leave alone (log only): Denies the access to the file, displays a notification, and logs the event. Use this option to take manual control of how the client handles a virus.
  • You can specify an action for the risk in the Risk log.

• Adware
• Dialers
• Hack Tools
• Joke Programs
• Other (programs that might pose a security risk but do not fit into other security risk categories)
• Remote Access
• Spyware
• Trackware

• Configure the same actions to take for all security risks.
• Configure the same actions for a whole category of security risks.
• Configure individual security risk exceptions to the actions that you set for specific categories.

  You can configure a first action to take and a second action to take if the first action fails. Actions for security risks include the following:

• Quarantine risk (default first action): Tries to move any infected files to the Quarantine on the infected computer as soon as the security risk is detected or completes its installation. The client removes or repairs any side effects of the risk. Side effects might include additional registry keys, modified registry key values, additions to .ini or .bat files, or extra entries in hosts files. They might also include errors in a Layered Service Provider (LSP) system driver or the effects of a rootkit. You can restore the security risk items that are quarantined to their original state on the system. In some instances, you might need to restart the computer to complete the removal or repair.
• Delete risk: Tries to delete security risk files. Use this option only if you can replace the files with a security risk-free backup copy. You cannot recover permanently deleted files from the Recycle Bin.

  Use this action with caution. The deletion of security risks can cause applications to lose functionality.

  If the client cannot delete files, detailed information about the actions appears in the notification dialog box and the System log.

• Leave alone (log only) (default second action): The risk is left alone and its detection is logged. Use this option to take manual control of how the client handles a security risk.

  You can specify an action for the risk in the Risk log.

  You can also lock exceptions so that users cannot create their own security risk exceptions for antivirus and antispyware scans.

  Note! In some instances, you might unknowingly install an application that includes a security risk such as adware or spyware. If Symantec has determined that blocking the risk does not harm the computer, then by default the client blocks the risk. If the block action might make the computer unstable, the client waits after the application installation. The client then performs the configured action on the security risk.

By default, this option is enabled. The original virus-infected file is encrypted and then copied into the Quarantine directory. If you need, you can use this unrepaired backup file to return the file to its original, but infected state.

Note! If you disable this option, files that contain viruses are not backed up before repairs are tried.

This setting applies only to virus-infected files. For security risks, if the action you have configured is Delete risk, no backup files are created. If the action that you configure is Quarantine risk, the security risk files are always backed up, regardless of this setting.

If this option is enabled, the client automatically takes the necessary action without notifying users.

Note! Users are always notified when a restart is required. They are allowed to save data and close open applications or to opt out of the restart.

If this option is enabled, the client automatically takes the necessary action without notifying users.

Note! Users are always notified when a restart is required. They are allowed to save data and close open applications or to opt out of the restart.

You can modify the type of information that you want to appear in the notification .

This message variable is not used by default. To display this information, manually add this variable to the message.

• Computer starts: Loads Auto-Protect when the computer's operating system starts and unload it when the computer shuts down. This option can help protect against some viruses, such as Fun Love. If Auto-Protect detects a virus during shutdown, it places the infected file in a temporary Quarantine directory. Auto-Protect then detects the virus on startup and creates an alert notification.

  Note! If you disable Auto-Protect on a computer that has this option enabled, Auto-Protect still functions after each computer restart for a brief time. When the main Symantec Endpoint Protection client service starts, it disables Auto-Protect.

• Symantec Endpoint Protection starts: Loads Auto-Protect when the client starts.
• Check floppies when the computer shuts down: Configures the client to scan floppies when the computer shuts down.

• Wait until the computer is restarted: Stops and reloads Auto-Protect when the computer restarts.
• Stop and reload Auto-Protect: Stops and reloads Auto-Protect immediately.
• When Auto-Protect is disabled: You can re-enable Auto-Protect automatically after <number> number of minutes. Valid values range from 3 to 60.

  This option is useful if users need to disable Auto-Protect on occasion.

The following options are available:

• Scan all files

  Scans all files on the computer, regardless of type.

• Scan only selected extensions

  Scans only the files that have certain extensions. You can add more extensions for programs and documents, if you have the files that use the extensions that are not already in the list. You can also reset this option to its default value.

You can add or remove file extensions to scan. Only the file extensions that you specify are scanned. Auto-Protect does not scan files with unlisted extensions.

Note! If you want to exclude files or directories from scans, create a centralized exception. The exception applies to all antivirus and antispyware scans that you run.

The following options are available:

• Scan files inside compressed files

  Scans the files that act as containers for a file or group of files.

• Number of levels to expand if there are compressed files within compressed files

  When a file archive (such as Files.zip) is scanned, the individual files of the archive are also scanned. If the archive itself contains compressed files, you can specify how many levels deep you want the compressed files to be scanned.

  The default setting is three levels deep in a compressed file.

These types of compressed files may be included in virus scans:

• .ARJ archive files created by the ARJ* file compression software
• .ZIP files created by PKZip* and WinZip* file compression software
• .LZH files compressed by Haruyasu Yoshizaki's Lharc* software
• .EXE files created as self-extracting archives.
• Compressed files without an extension.

Non-macro virus

Actions for viruses include the following:

• Clean risk (default first action): Tries to clean the infected file when a virus is found.
• Quarantine risk (default second action): Tries to move the infected file to the Quarantine on the infected computer as soon as it is detected. After an infected file is moved to the Quarantine, a user on that client computer cannot run the file. The user must first specify an action for the file. For example, the user can specify that the client should clean the file and move the file back to its original location.
• Delete risk: Tries to delete the file. Use this option only if you can replace the infected file with a virus-free backup copy. The file is permanently deleted and cannot be recovered from the Recycle Bin
  • If Auto-Protect cannot delete the file, detailed information about the action appears in the notification dialog box and the System log.
• Leave alone (log only): Denies the access to the file, displays a notification, and logs the event. Use this option to take manual control of how Auto-Protect handles a virus.
  • When you are notified of a virus, open the Risk log, right-click the name of the file, and select one of the following actions: Clean (viruses only), Delete Permanently, or Move To Quarantine.

• Adware
• Dialers
• Hack Tools
• Joke Programs
• Other (programs that might pose a security risk but do not fit into other security risk categories)
• Remote Access
• Spyware
• Trackware

• Configure the same actions to take for all security risks.
• Configure the same actions for a whole category of security risks.
• Configure individual security risk exceptions to the actions that you set for specific categories.

  You can configure a first action to take and a second action to take if the first action fails. Actions for security risks include the following:

• Quarantine risk (default first action)

  Tries to move any infected files to the Quarantine on the infected computer as soon as the security risk is detected or completes its installation. Auto-Protect removes or repairs any side effects of the risk. Side effects might include additional registry keys, modified registry key values, additions to .ini or .bat files, or extra entries in hosts files. They might also include errors in a Layered Service Provider (LSP) system driver or the effects of a rootkit. You can restore the security risk items that are quarantined to their original state on the system. In some instances, you might need to restart the computer to complete the removal or repair.

• Delete risk

  Tries to delete security risk files. Use this option only if you can replace the files with a security risk-free backup copy. You cannot recover permanently deleted files from the Recycle Bin.
  
  Use this action with caution. The deletion of security risks can cause applications to lose functionality.
  If the client cannot delete files, detailed information about the actions appears in the notification dialog box and the System log.

• Leave alone (log only) (default second action)

  The risk is left alone and its detection is logged. Use this option to take manual control of how Auto-Protect handles a security risk.
  You can use the logs in the management console to specify the action for the logged risk. Users on client computers can use the logs to specify the action as well.

  You can also lock exceptions so that users cannot create their own security risk exceptions for all antivirus and antispyware scans.

  Note! In some instances, you might unknowingly install an application that includes a security risk such as adware or spyware. If Symantec has determined that blocking the risk does not harm the computer, then by default Auto-Protect blocks the risk. If the computer might enter an unstable state when Auto-Protect blocks the risk, Auto-Protect waits until the application installation is complete. Then Auto-Protect performs the configured action on the security risk.

The following option is available:

• Display a notification message on the infected computer

  When this option is enabled, you can modify the information that should appear when Auto-Protect finds a virus or a security risk.

The following options are available:

• Insert a warning into the email message: Adds an email warning to infected messages. Click Warning to change the text.
• Send email to the sender: Notifies the senders of infected messages in Internet email applications. You can click Sender to change the default text.
• Send email to others: Notifies the specified recipients of infected messages in email applications. You can click Others to change the default text.

The following options are available:

• Display a progress indicator when email is being sent
• Display notification area icon

This message variable is not used by default. To display this information, manually add this variable to the message.

• Incoming mail server (POP3
  • Auto-Protect scanning for Internet email uses the standard POP3 email ports by default. If you configure your network to use a different port, you must change the port setting here to match the port that you selected.
• Outgoing mail server (SMTP)
  • Auto-Protect scanning for Internet email uses the standard SMTP email ports by default. If you configure your network to use a different port, you must change the port setting here to match the port that you selected.
• Use Defaults
  • Returns the Incoming mail server (POP3) and Outgoing mail server (SMTP) port settings to their defaults.

• Allow encrypted POP3 connections

  Use this option to enable or disable POP3 messages that use encrypted connections. Auto-Protect does not scan any email that uses POP3 over the Secure Sockets Layer (SSL). Auto-Protect continues to protect computers from viruses and security risks in attachments.

• Allow encrypted SMTP connections

  Use this option to enable or disable the SMTP messages that use encrypted connections. Auto-Protect does not scan any email that uses SMTP over the Secure Sockets Layer (SSL). Auto-Protect continues to protect computers from viruses and security risks in attachments.

• Outbound worm heuristics: Use this option to scan outgoing messages for suspicious behavior.
• First action: Select an action to take when the scan detects suspicious behavior. You can choose to quarantine the threat, delete the threat, or to log the detection but take no action on the threat.
• If first action fails: Select an action to take when the scan cannot perform the first action on the detected threat. You can choose to delete the threat or to log the detection but take no action on the threat.

  Note! If you set the First action to Leave alone (log only), then this option is not available.

The following options are available:

• Scan all files

  Scans all files on the computer, regardless of type.

• Scan only selected extensions

  Scans only the files that have certain extensions. You can add more extensions for programs and documents, if you have the files that use the extensions that are not already in the list. You can also reset this option to its default value.

You can add or remove file extensions to scan. Only the file extensions that you specify are scanned. Auto-Protect does not scan files with unlisted extensions.

Note! If you want to exclude files or directories from scans, create a centralized exception. The exception applies to all antivirus and antispyware scans that you run.

The following options are available:

• Scan files inside compressed files

  Scans the files that act as containers for a file or group of files.

• Number of levels to expand if there are compressed files within compressed files

  When a file archive (such as Files.zip) is scanned, the individual files of the archive are also scanned. If the archive itself contains compressed files, you can specify how many levels deep you want the compressed files to be scanned.
  
  The default setting is three levels deep in a compressed file.

These types of compressed files may be included in virus scans:

• .ARJ archive files created by the ARJ* file compression software
• .ZIP files created by PKZip* and WinZip* file compression software
• .LZH files compressed by Haruyasu Yoshizaki's Lharc* software
• .EXE files created as self-extracting archives.
• Compressed files without an extension.

Non-macro virus

Actions for viruses include the following:

• Clean risk (default first action): Tries to clean the infected file when a virus is found.
• Quarantine risk (default second action): Tries to move the infected file to the Quarantine on the infected computer as soon as it is detected. After an infected file is moved to the Quarantine, a user on that client computer cannot run the file. The user must first specify an action for the file. For example, the user can specify that the client should clean the file and move the file back to its original location.
• Delete risk: Tries to delete the file. Use this option only if you can replace the infected file with a virus-free backup copy. The file is permanently deleted and cannot be recovered from the Recycle Bin
  • If Auto-Protect cannot delete the file, detailed information about the action appears in the notification dialog box and the System log.
• Leave alone (log only): Denies the access to the file, displays a notification, and logs the event. Use this option to take manual control of how Auto-Protect handles a virus
  • When you are notified of a virus, open the Risk log, right-click the name of the file, and select one of the following actions: Clean (viruses only), Delete Permanently, or Move To Quarantine.

• Adware
• Dialers
• Hack Tools
• Joke Programs
• Other (programs that might pose a security risk but do not fit into other security risk categories)
• Remote Access
• Spyware
• Trackware

• Configure the same actions to take for all security risks.
• Configure the same actions for a whole category of security risks.
• Configure individual security risk exceptions to the actions that you set for specific categories.

  You can configure a first action to take and a second action to take if the first action fails. Actions for security risks include the following:

• Quarantine risk (default first action)

  Tries to move any infected files to the Quarantine on the infected computer as soon as the security risk is detected or completes its installation. Auto-Protect removes or repairs any side effects of the risk. Side effects might include additional registry keys, modified registry key values, additions to .ini or .bat files, or extra entries in hosts files. They might also include errors in a Layered Service Provider (LSP) system driver or the effects of a rootkit. You can restore the security risk items that are quarantined to their original state on the system. In some instances, you might need to restart the computer to complete the removal or repair.

• Delete risk

  Tries to delete security risk files. Use this option only if you can replace the files with a security risk-free backup copy. You cannot recover permanently deleted files from the Recycle Bin.
  
  Use this action with caution. The deletion of security risks can cause applications to lose functionality.
  
  If the client cannot delete files, detailed information about the actions appears in the notification dialog box and the System log.

• Leave alone (log only) (default second action)

  The risk is left alone and its detection is logged. Use this option to take manual control of how Auto-Protect handles a security risk.
  You can use the logs in the management console to specify the action for the logged risk. Users on client computers can use the logs to specify the action as well.

  You can also lock exceptions so that users cannot create their own security risk exceptions for all antivirus and antispyware scans.

  Note! In some instances, you might unknowingly install an application that includes a security risk such as adware or spyware. If Symantec has determined that blocking the risk does not harm the computer, then by default Auto-Protect blocks the risk. If the computer might enter an unstable state when Auto-Protect blocks the risk, Auto-Protect waits until the application installation is complete. Then Auto-Protect performs the configured action on the security risk.

Enables or disables the display of a notification message on an infected computer when Auto-Protect finds a security risk.

When this option is enabled, you can modify the type of information that you want to appear on the affected computer.

• Insert a warning into the email message

  Adds an email warning to an infected message. You can click Warning to change the default text.

• Send email to sender

  Notifies the senders of infected messages in Internet email applications. You can click Sender to change the default text.

• Send email to others

  Notifies the specified recipients of infected messages in email applications. You can click Others to change the default text and to specify recipients.

This message variable is not used by default. To display this information, manually add this variable to the message.

The following options are available:

• Scan all files

  Scans all files on the computer, regardless of type.

• Scan only selected extensions

  Scans only the files that have certain extensions. You can add more extensions for programs and documents, if you have the files that use the extensions that are not already in the list. You can also reset this option to its default value.

  Note! If you want to exclude files or directories from scans, create a centralized exception. The exception applies to all antivirus and antispyware scans that you run.

You can add or remove file extensions to scan. Only the file extensions that you specify are scanned. Auto-Protect does not scan files with unlisted extensions.

Note! If you want to exclude files or directories from scans, create a centralized exception. The exception applies to all antivirus and antispyware scans that you run.

The following options are available:

• Scan files inside compressed files

  Scans the files that act as containers for a file or group of files.

• Number of levels to expand if there are compressed files within compressed files

  When a file archive (such as Files.zip) is scanned, the individual files of the archive are also scanned. If the archive itself contains compressed files, you can specify how many levels deep you want the compressed files to be scanned.
  
  The default setting is three levels deep in a compressed file.

These types of compressed files may be included in virus scans:

• .ARJ archive files created by the ARJ* file compression software
• .ZIP files created by PKZip* and WinZip* file compression software
• .LZH files compressed by Haruyasu Yoshizaki's Lharc* software
• .EXE files created as self-extracting archives.
• Compressed files without an extension.

Non-macro virus

Actions for viruses include the following:

• Clean risk (default first action): Tries to clean the infected file when a virus is found.
• Quarantine risk (default second action): Tries to move the infected file to the Quarantine on the infected computer as soon as it is detected. After an infected file is moved to the Quarantine, a user on that client computer cannot run the file. The user must first specify an action for the file. For example, the user can specify that the client should clean the file and move the file back to its original location.
• Delete risk: Tries to delete the file. Use this option only if you can replace the infected file with a virus-free backup copy. The file is permanently deleted and cannot be recovered from the Recycle Bin
  • If Auto-Protect cannot delete the file, detailed information about the action appears in the notification dialog box and the System log.
• Leave alone (log only): Denies the access to the file, displays a notification, and logs the event. Use this option to take manual control of how Auto-Protect handles a virus
  • When you are notified of a virus, open the Risk log, right-click the name of the file, and select one of the following actions: Clean (viruses only), Delete Permanently, or Move To Quarantine.

• Adware
• Dialers
• Hack Tools
• Joke Programs
• Other (programs that might pose a security risk but do not fit into other security risk categories)
• Remote Access
• Spyware
• Trackware

• Configure the same actions to take for all security risks.
• Configure the same actions for a whole category of security risks.
• Configure individual security risk exceptions to the actions that you set for specific categories.

  You can configure a first action to take and a second action to take if the first action fails. Actions for security risks include the following:

• Quarantine risk (default first action)

  Tries to move any infected files to the Quarantine on the infected computer as soon as the security risk is detected or completes its installation. Auto-Protect removes or repairs any side effects of the risk. Side effects might include additional registry keys, modified registry key values, additions to .ini or .bat files, or extra entries in hosts files. They might also include errors in a Layered Service Provider (LSP) system driver or the effects of a rootkit. You can restore the security risk items that are quarantined to their original state on the system. In some instances, you might need to restart the computer to complete the removal or repair.

• Delete risk

  Tries to delete security risk files. Use this option only if you can replace the files with a security risk-free backup copy. You cannot recover permanently deleted files from the Recycle Bin.

  Use this action with caution. The deletion of security risks can cause applications to lose functionality.
  
  If the client cannot delete files, detailed information about the actions appears in the notification dialog box and the System log.

• Leave alone (log only) (default second action)

  The risk is left alone and its detection is logged. Use this option to take manual control of how Auto-Protect handles a security risk.
  You can use the logs in the management console to specify the action for the logged risk. Users on client computers can use the logs to specify the action as well.
  You can also lock exceptions so that users cannot create their own security risk exceptions for all antivirus and antispyware scans.

  Note! In some instances, you might unknowingly install an application that includes a security risk such as adware or spyware. If Symantec has determined that blocking the risk does not harm the computer, then by default Auto-Protect blocks the risk. If the computer might enter an unstable state when Auto-Protect blocks the risk, Auto-Protect waits until the application installation is complete. Then Auto-Protect performs the configured action on the security risk.

Enables or disables the display of a notification message on an infected computer when Auto-Protect finds a security risk.

When this option is enabled, you can modify the type of information that you want to appear on the affected computer.

• Insert a warning into the email message

  Adds an email warning to an infected message. You can click Warning to change the default text.

• Send email to sender

  Notifies the senders of infected messages in Internet email applications. You can click Sender to change the default text.

• Send email to others

  Notifies the specified recipients of infected messages in email applications. You can click Others to change the default text and to specify recipients.

This message variable is not used by default. To display this information, manually add this variable to the message.

Specifies whether or not proactive threat scans detect processes that behave like Trojan horses and worms (default is enabled)

When this option is enabled, the following options are available:

• Use defaults defined by Symantec
  
  • Symantec recommends using this option to minimize false positive detections. When proactive threat scans detect key loggers, the scan engine determines the action that the client takes on the process. If the Symantec Endpoint Protection client suspects that the Trojan horse or worm is malicious, the process is quarantined. If not, the client only logs an event.
• When a trojan or worm is detected within the sensitivity threshold
  
  • If you uncheck Use defaults defined by Symantec, you can specify the type of action the client takes when a Trojan horse or worm is detected: Log, Quarantine, or Terminate. This action is applied every time a proactive threat scan detects a Trojan horse or worm.
• Sensitivity
  
  • Symantec detemines the default sensitivity. If you uncheck Use defaults defined by Symantec, you can move the slider to increase or decrease the sensitivity.

Specifies whether or not proactive threat scans detect processes that behave like key loggers (default is enabled)

When this option is enabled, the following options are available:

• Use defaults defined by Symantec

  Symantec recommends using this option to minimize false positive detections. When proactive threat scans detect key loggers, the scan engine determines the type of action the client takes on the process. If the client software suspects the keylogger is malicious, the client quarantines the process. If not, the client only logs an event.

• When a keylogger is detected within the sensitivity threshold

  If you uncheck Use defaults defined by Symantec, you can specify the type of action that the client takes when it detects a key logger: Log, Quarantine, or Terminate. The client applies this action every time a proactive threat scan detects a key logger.

• Sensitivity

  Symantec determines the default sensitivity. If you uncheck Use defaults defined by Symantec, you can select Low or High.

The following options are available:

• When a commercial keylogger is detected
• When a commercial remote control is detected

You can specify the type of action taken: Log, Quarantine, Terminate, or Ignore.

If notifications are enabled, the user can right-click the name of the risk, and select one of the following actions: Terminate or Move To Quarantine.

Note! If Use defaults defined by Symantec is enabled, detections with this action only appear in a notification message if the scan engine recommends remediating the risk.

The user can also use the entry in the proactive threat log to specify the type of remediation action to take on each individual detection.

The client removes or repairs any side effects of the process.

The repairs might include any of the following:

• Delete registry keys that were added.
• Revert registry keys that were changed.
• Delete additions to .ini or .bat files.
• Delete entries in hosts files.
• Repair a Layered Service Provider (LSP) system driver.
• Repair the effects of a rootkit.

Users can use the proactive threat log or the notification message to restore quarantined items. If you restore a process, the process does not automatically restart. You must manually restart it.

Use this action with caution, because in some cases, terminating processes can cause applications to lose functionality.

If the client cannot terminate a process, detailed information about the termination attempt appears in the notification message and the proactive threat log.

Users can use the proactive threat log or the notification message to move terminated items to the Quarantine.

This action is only available for commercial application detections. When the client applies this action, it does not log the detection.

When the detections dialog box appears on the client computer, the user can specify additional remediation actions for the detections.

When the prompt appears on the client computer, the user can decide to terminate the process or not.

When the prompt appears on the client computer, the user can decide to stop the process or not.

By default, this option is enabled.

When this option is enabled, the following options are available:

• Scan new processes immediately

  Scans new processes soon after the client detects them.
  
  When the client detects a new process, it initiates a proactive threat scan of all running processes.

• Scan protected processes every

  Scans all processes at the specified frequency.
  
  The default is 1 hour.

Select one of the following options:

• Automatically repair and restore files in Quarantine silently
  • If the new definitions include repairs for quarantined files, the Symantec Endpoint Protection client repairs the files. The client also restores the files to their previous location without notifying the user.
• Repair files in Quarantine silently without restoring
  • If the new definitions include a repair for quarantined files, the client repairs the files but does not restore them to their previous location.
• Prompt user
  • The user is prompted to decide whether or not to try to repair quarantined files.
• Do nothing
  • The client does not try to repair quarantined files.

You can select the default folder or browse to any other folder that you want to use.

The maximum is 30 days.

The default is 50 MB.

• Allow client computers to submit processes detected by TruScan proactive threat scans (default is enabled): Specifies whether or not client computers submit information about processes detected by proactive threat scans. This information may help Symantec address new threats.
• Percentage of client computers allowed to submit (default is 100): The percentage of the computers that are allowed to submit information about processes to Symantec.

• Allow client computers to submit threat detection rates (default is enabled): Specifies whether or not client computers submit information about detection rates to Symantec. Detection rates for Auto-Protect and manual scans can help Symantec Security Response determine what virus definitions are no longer needed.
• Percentage of client computers allowed to submit (default is 100): The percentage of the computers that are allowed to submit information about detection rates to Symantec.

• Allow client computers to manually submit quarantined items to Symantec Security Response (default is enabled): Specifies whether or not users of client computers can manually submit quarantined items to Symantec Security Response.
• Allow client computers to automatically submit quarantined items to a Quarantine Server (default is disabled): Specifies whether or not client computers automatically submit quarantined items to a central Quarantine Server.

  When this option is enabled, you can configure the following information for the Quarantine Server:

• Server name

  The server name should match the server name that is configured for the Central Quarantine Server.

• Port

  The port number should match the port number that is configured for the Central Quarantine Server. By default, this option is 33.

• Retry

  By default, this option is 600 seconds.

Select one of the following:

• Never
  • Never disable WSC. Leave it completely alone. This setting is the default value.
• Once
  • Disable WSC only one time. If a user re-enables it, the client does not disable it again.
• Always
  • Always disable WSC. If a user re-enables it, it is disabled again immediately.
• Restore if disabled
  • Re-enable WSC only if the client disabled it.

Note! Symantec product status is always available in Symantec Endpoint Protection, regardless of whether WSC is enabled or disabled.

Select one of the following:

• Enable

  WSC displays these alerts in the notification area.

• Disable

  WSC does not display these alerts on the notification area.

• Use existing setting

  WSC uses the existing setting for displaying these alerts.

Specifies the number of days that definitions are allowed to be out of date.

The value must be in the range from 1 to 30. The default value is 29 days.

The client checks every 15 minutes to compare the out-of-date time, the date of the definitions, and the current date. Typically, no out-of-date status is reported to WSC because definitions are usually updated automatically. If you update definitions manually, you might wait up to 15 minutes to view an accurate status.

The client uses this URL when it repairs the risk.

You can click the lock icon to prevent users from changing the home page to be used when repairing side effects after a browser hijacking.

The default password is symantec. You can change the password by clicking Change Password and setting the password.

The following possibilities are included:

• All antivirus and antispyware events
• Scanning and infection events
• Virus definition events
• Management and configuration events
• Startup and shutdown events
• Licensing events
• Security related events

The option does not affect any events that the clients send to the management console. You can use the option to reduce the actual log size on the client computers.

Antivirus-related events are aggregated before they are sent to the event log to keep the number of events manageable. After the events are sent, aggregation starts again.

You can specify the number of days. The notification message appears when definitions are out of date by more than the specified number of days.

You can specify the number of attempts to update definitions, and then customize the warning message that appears on the client computer.

The error messages appear when users encounter the errors that are related to the system, licensing, installation, and Antivirus and Antispyware Protection.

In client control mode, error messages do not appear.

You can include the following types of URLs (uniform resource locations) in the error messages:

• Display the URL to a Symantec Technical Support Knowledge Base article

  Displays a link to redirect users to a Knowledge Base article about a specific error that users see. If an article does not exist, a prompt appears enabling users to send an email message to online technical support or phone support.

• Display a custom URL

  Displays a link to a customized Web site with alternative text and support information for the specific error that users see.