On a computer infected with a threat, there is no installed Symantec Endpoint Protection (SEP) client. Alternately, the installed client has been damaged and the threat needs to be removed to allow the computer to returned safely to the network and normal usage. What tips are available to clean the computer?
If installed, the AntiVirus program fails to start, generates errors, completes its scan too quickly for the size of the drive, or otherwise finds no issue with the computer.
A threat specifically targeting AntiVirus applications may be preventing fully functional scans.
Running the SymDiag diagnostic tool with Threat Analysis Scan (TAS) will enable users to identify and remove malicious files. (This capability is sometimes called Power Eraser.) No SEP client needs to be installed for this tool to function. For additional details, please see Identify suspicious files with the Threat Analysis Scan in SymDiag. Illustrations are available in the Connect article Using Today's SymDiag to Combat Today's Threats. SymDiag is the easiest-to-use, most effective tool for these situations.
There are two additional methods of removing malicious code from the drive, if the above are unsuccessful:
Physically moving the hard drive to another system
NOTE: If the drive in question is in a laptop, is in a RAID array or is otherwise unable to be removed from the computer hosting it, please follow the steps below labeled "Mapping the drive and scanning across an isolated network connection."
When performing this task, you will need to have available a known, clean computer with SEP installed with the latest Certified or Rapid Release virus definitions. The computer will also need a drive bay with all necessary power and controller cables to hold the hard drive. This system must also be isolated from your network entirely to avoid the potential for spreading the threat.
Information on obtaining the current Certified and Rapid Release virus definitions can be found in Update Endpoint Protection definitions with Intelligent Updater.
Mapping the drive and scanning across an isolated network connection
NOTE: Use this method if you are unable to physically move the hard drive from the infected computer to a known, clean, isolated computer with SEP installed with current virus definitions.
When performing this task, you will need to have available a known, clean computer with SEP installed with the latest Certified virus definitions, or latest Rapid Release virus definitions This system must also be isolated from your network to avoid the potential for spreading the threat. The two systems should only be attached via a switch, dumb hub, or crossover cable. There should be no unnecessary external devices attached via USB or other means. Also insure that the two systems are truly isolated from your production network. If available, any wireless NIC should also be disabled on both systems via the Device Manager.
If the infected computer is still operable when cleaned, remove the damaged version of the SEP client and perform a clean reinstall.
To obtain information on the current Certified and Rapid Release virus definitions, see Update Endpoint Protection definitions with Intelligent Updater.