A computer is showing symptoms of possible infection, but the Symantec Endpoint Protection (SEP) client is not detecting any malicious files.

Learn how to respond to possible security risks, outbreaks, or infections on a computer by collecting logs and taking other actions.

Perform a full system scan

If a computer is suspected of being infected, download the latest Rapid Release definitions and apply them to the computer.

Applying Rapid Release Definitions

Perform a full system scan on the machine with the latest Rapid Release definitions.  Check the logs after to see if any threats have been detected.  Also review the logs for SONAR and IPS detections.

Run SymDiag

If nothing has is detected, run a SymDiag diagnostic with Threat Analysis Scan (TAS) to see if any suspicious files are found.  The SymDiag tool generates a .sdbz file of several important logs and reports. It is the recommended tool to collect logs from computers that are potentially infected.  For details please see Identify suspicious files with the Threat Analysis Scan in SymDiag.

Submit suspicious files

If there are suspicious files identified by the tool, Submit suspicious files to Symantec Security Response.  (Do not send any suspicious files directly to Symantec Technical Support via email or any other method.)  

After that is done, the computer should be isolated from the network if possible to prevent the spread of any potential infection.  Keep the system isolated until the files have been examined and any new definitions against any confirmed threats are released.

For further information see Virus removal and troubleshooting on a network.