Symantec Endpoint Protection detection results indicate that the action taken on a threat was Log Only for a threat located on a network drive

book

Article ID: 158669

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Network Scanning is enabled with Primary and Secondary actions for what the client should do when it encounters a threat configured for options other than Log Only, but when the client attempts to take action on the threat, the actual action taken is Log Only.

From WPP logs:

ccEraserLibStatic : 07a4 : 0f70 : TRACE_DEBUG : TRACE_LEVEL_ERROR : ccEraser::CRemediationActionImpl::Remediate : RemediationAction_cpp441 :RemediateOnReboot failed, res=1016

Error 1016 means “FileStillPresent”.

Cause

When there is a remediation action to be performed on a remote location AND a reboot action is required to perform that action, the Eraser Engine will return a “FileStillPresent” Error to the client.  This is because if after a reboot the network shared drive is not up during remediation, we cannot successfully remediate that file. This would only be the case for certain threats that are flagged to behave in this way. Typically related to File Infectors and Generic Signatures that cover a broad swath of detections for a particular threat family.

Resolution

Please submit a sample of the threat to Symantec Security Response and open a case with Symantec Technical Support for further assistance. The threat in question needs to be analyzed further so that it can be correctly and completely categorized under the proper threat signature.

How to Use the Web Submission Process to Submit Suspicious Files