search cancel

Symantec Endpoint Protection detected risks while you were logged out

book

Article ID: 151572

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

If I log out and then log in to Windows, why do I get a pop-up that reads, "Symantec Endpoint Protection detected Risks while you were logged out..." 

"Symantec Endpoint Protection detected Risks while you were logged out. You may need to open the AntiVirus and Antispyware Protection Risk Log to view and take action on the risks."

Cause

  • A scheduled scan may have run while the user was not logged in and detected threats. 
     
  • AutoProtect may have detected a risk: e.g. while the user was logged out, the machine may have been accessed by an administrator or other user via Remote Admin tools (RDP, etc). Note that disabling AutoProtect notifications does not disable this pop-up
     
  • AntiVirus Definitions may have been updated while user was logged off. After definition updates, DWHWizrd.exe (DefWatch Wizard) scans items in quarantine to determine if they can be repaired. If items are in quarantine, this will also cause the pop-up and may cause additional confusion because it does not create new risk log entries.  Note that the DefWatch Wizard scan of Quarantine items is separate from the DefWatch Quickscan, and disabling the Defwatch Quickscan will not prevent the DefWatch Wizard scan.
     

Resolution

This behavior has been modified in Symantec Endpoint Protection 12 Release Update 1 (RU1) Maintenance Patch 1 (MP1) so that this pop-up appears only for administrative users.  Additional changes were made in Symantec Endpoint Protection 12.1.4. For information on how to obtain the latest build of Symantec Endpoint Protection, read TECH103088: Obtaining an upgrade or update for Symantec Endpoint Protection or Symantec Network Access Control.

When you see the pop-up, you should check Endpoint Protection logs to determine if AutoProtect or a scheduled scan detected threats while the user was logged off, and take action as necessary. Note that you must do this under an Administrative user account in order to see all logs. Administrative or System scan results, for example, will not be visible to limited users. If there are no threats logged, then the pop-up was caused by the DefWatch Wizard scan after a definition update.

To disable the DefWatch Wizard scan

If you want to leave this pop-up enabled, but prevent its display after definitions have been updated when no one is logged on, disabled the DefWatch Wizard's scan of items in quarantine. This can be done by editing policy in the Endpoint Protection Manager: Antivirus and Antispyware policy->Quarantine settings, and set "When New Virus Definitions Arrive" to "Do nothing." On SEP Small Business Edition, or on unmanaged clients, this setting is not available in the GUI and you must set the following registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine\DefWatchMode=3 (REG_DWORD).

DefWatchMode
value  action
0          Automatically repair and restore files in Quarantine silently
1          Repair the files in Quarantine silently without restoring
2          Prompt user
3          Do nothing

There have been reports that this pop-up still appears when the DefWatch Wizard scan is disabled and no threats are logged. These reports are being investigated by Symantec and this article will be updated as necessary.
 

To disable the pop-up entirely

This pop-up may be disabled entirely in Symantec Endpoint Protection 11 RU5. In those versions, the pop-up is controlled by the following registry value on the client:

HKLM\Software\Symantec\Symantec Endpoint Protection\AV\AdministratorOnly\General\NotificationWhenLoggedOff
(DWORD: 1=enabled, 0=disabled)

Managed clients can be configured by using the checkbox in Endpoint Protection Manager policy: Antivirus and AntiSpyware policy->Administrator-Defined Scans ->Advanced, uncheck the checkbox "Display notifications about detections when the user logs on".

On Endpoint Protection Manager 12.x and 14.x, the checkbox in Endpoint Protection Manager policy > Virus and Spyware Protection policy > Advanced Options > Global Scan Options,  uncheck the checkbox "Display notifications about detections when the user logs on".