About "Active" Threats in Symantec Mobile Security 7.2

book

Article ID: 158107

calendar_today

Updated On:

Products

Mobile Security

Issue/Introduction

What does it mean if an Android device is seen to have an "Active" threat in the Symantec Management Console for Symantec Mobile Security 7.2 (SMS 7.2)?  How often is the "True" and "False" value set for whether or not a detected threat is "active"?  

When viewing Threat Details or the information about threats detected on an individual Android device, there is a listing for whether the threat is "Active."  

  • "True" means that the threat has not been removed from the Android client
  • "False" indicates that the threat has been successfully removed.    

Note that the information displayed in the Symantec Management Console (SMC) is not updated in real-time.  The update depends on the Android client's configured frequency of Inventory communications.

Resolution

When an Android communicates with the Symantec Management Platform (SMP) and updates its Inventory and event logs, the exchange includes information about whether or not an Android device has an active infection.  

For Androids with long scheduled check-in periods configured, there may be significant lag between what is displayed in the SMC and the actual state of the device.  Administrators may initiate a command to "Request Device Information" to an Android.  If Google Cloud Messaging (GCM) is in use, the Android should soon receive this command, send its current inventory and logs, and be displayed correctly in the console.

To speed up the app threats’ active status refreshing, please change the communications policy and set the “Device check in frequency for inventory” to a shorter time.

Starting with the Symantec™ Mobile Security 7.2 MR1 hotfix 2 release (7.2.0.149), the event log will be uploaded to server immediately (if a network connection is available) as soon as a threat is removed or an anti-malware scan completes.  This is intended so that the "active" status on the management console is updated as swiftly as possible.

Should an Android's status go out of sync with what is displayed in the SMC (for example: a threat that has long been cleaned is still appearing in the SMC as "True"), unenroll the Android and re-enroll it to the SMP.  More information can be found in About Unenrolling Symantec Mobile Security 7.2 Android Clients