search cancel

Cleaning an infected system which lacks a functioning Symantec Endpoint Protection client

book

Article ID: 151581

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

On a computer infected with a threat, there is no installed Symantec Endpoint Protection (SEP) client. Alternately, the installed client has been damaged and the threat needs to be removed to allow the computer to returned safely to the network and normal usage. What tips are available to clean the computer?
 

Symptoms

If installed, the AntiVirus program fails to start, generates errors, completes its scan too quickly for the size of the drive, or otherwise finds no issue with the computer.

 

 

Cause

A threat specifically targeting AntiVirus applications may be preventing fully functional scans.

Resolution

Running the SymDiag diagnostic tool with Threat Analysis Scan (TAS) will enable users to identify and remove malicious files. (This capability is sometimes called Power Eraser.)  No SEP client needs to be installed for this tool to function.  For additional details, please see Identify suspicious files with the Threat Analysis Scan in SymDiag. Illustrations are available in the Connect article Using Today's SymDiag to Combat Today's Threats. SymDiag is the easiest-to-use, most effective tool for these situations.

There are two additional methods of removing malicious code from the drive, if the above are unsuccessful:

 

  • Physically moving the hard drive to another system
  • Mapping the drive and scanning across an isolated network connection


Physically moving the hard drive to another system

NOTE: If the drive in question is in a laptop, is in a RAID array or is otherwise unable to be removed from the computer hosting it, please follow the steps below labeled "Mapping the drive and scanning across an isolated network connection."

When performing this task, you will need to have available a known, clean computer with SEP installed with the latest Certified or Rapid Release virus definitions.  The computer will also need a drive bay with all necessary power and controller cables to hold the hard drive. This system must also be isolated from your network entirely to avoid the potential for spreading the threat.
 

  1. Remove the hard drive from the system with the threat and install it to the clean system as a slave drive (Please consult your hard drive and/or motherboard/drive controller card documentation for proper steps to accomplish this).
  2. Boot the system and launch SEP and perform a full scan of the drive to remove any threats that are found.
  3. Once the drive has been verified as clean, you may return it to the original computer and attach that machine to the network.


Information on obtaining the current Certified and Rapid Release virus definitions can be found in Update Endpoint Protection definitions with Intelligent Updater.

Mapping the drive and scanning across an isolated network connection

NOTE: Use this method if you are unable to physically move the hard drive from the infected computer to a known, clean, isolated computer with SEP installed with current virus definitions.

When performing this task, you will need to have available a known, clean computer with SEP installed with the latest Certified virus definitions, or latest Rapid Release virus definitions This system must also be isolated from your network to avoid the potential for spreading the threat. The two systems should only be attached via a switch, dumb hub, or crossover cable. There should be no unnecessary external devices attached via USB or other means. Also insure that the two systems are truly isolated from your production network. If available, any wireless NIC should also be disabled on both systems via the Device Manager.

  1. Map to the C:\ partition of the infected computer from the clean system running the current revision of SEP.
  2. On the clean system, scan the mapped drive by clicking on the mapped volume in Network Neighborhood and selecting "Scan for Viruses..."
  3. When scanning, SEP will detect, quarantine or delete all threats found.
  4. When the mapped drive is verified as clean, you may restore the default sharing on the computer that was scanned and return it to the network.


If the infected computer is still operable when cleaned, remove the damaged version of the SEP client and perform a clean reinstall.

To obtain information on the current Certified and Rapid Release virus definitions, see Update Endpoint Protection definitions with Intelligent Updater.