What is the meaning of each “Action taken” criteria in the Symantec Endpoint Protection Manager (SEPM) event notifications?


Article ID: 155972


Updated On:


Endpoint Protection


This document explains the meaning of each “Action taken” criteria that can be selected for Event notifications in the Symantec Endpoint Protection Manager (SEPM).

The options are described in the table below:



It also explains how they correlate with each other and with the parameters of the AntiVirus and AntiSpyware policy.



  Action Taken Description
1 Access Denied Symantec Endpoint Protection (SEP) prevented a malware from accessing a file.
2 Action Invalid

The configured action could not be taken. For example, "quarantine" is the defined action,

but the file is also blocked from being written, then it cannot be quarantined.

3 All actions failed None of the actions configured in the policies were successful.
4 Cleaned

The infected file was successfully cleaned from the existing risk as per action setup in the


5 Cleaned by deletion

Action setup was Clean but the file contained nothing but malicious code, so it was

completely deleted.

6 Cleaned or macros deleted

This applies to files containing Macros. Either the malicious code was cleaned or the full

Macros were deleted.

7 Deleted The risk was successfully deteled as per action setup in the policy.
8 Excluded The file was excluded from scanning by the SEP as part of the “Reboot Pending” action (to prevent continuous redetections).
9 Left alone The risk was left alone as per action setup in the policy.
10 No repair available The file couldn’t be repaired as there was no remediation code available.
11 Partially repaired Only part of the repair was completed.
12 Pending repair Repair is pending. For instance, the machine (PC) might need to be rebooted.
13 Process terminated A process which has been identified as a risk, has been successfully terminated.
14 Process terminated pending restart Same as above, but a restart is required for the action to be completed.
15 Quarantined The risk was successfully quarantined as per action setup in the policy.
16 Suspicious

Proactive Threat Protection has detected a risk, but it is set to "Log only". In this case, the

notification will display the risk as suspicious.


Here are some Best Practices / Recommendations regarding setting up Notifications:

Monitoring your environment as a whole

Remember that the environment needs to be monitored as a whole. It may be that monitoring a reoccurring infection is required, say to check whether there is a blended threat. Blended threats cause some computers to constantly have to take action on detected risks, because one other undetected risk is spreading malware throughout the network.
In this scenario, it's useful to be notified about successful actions taken as well as actions that have failed.

If you are looking to avoid excessive number of notifications / redundant information.

Using the damper period can be a way to avoid an excessive number of notifications within a short period of time. Whilst setting up an "outbreak" type of notification, it's also possible to control how many reoccurrences would have to happen within a chosen number of minutes, before being notified.

For an overview of what’s happening, this type of setting can be applied on a notification that includes "all" possible results on actions taken.  Simultaneously, a notification can be setup using the criteria "all actions failed". This helps to keep the focus on situations that might need a quicker action from the administrator.

See also KB articles below:

Security Response Recommendations for Symantec Endpoint Protection Settings.

Security Response Recommendations for Symantec Endpoint Protection 12.1 settings