search cancel

Identify suspicious files with the Threat Analysis Scan in SymDiag


Article ID: 159016


Updated On:


Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption Gateway Email Encryption Mail Security for Microsoft Exchange Endpoint Protection Data Loss Prevention Endpoint Prevent Data Loss Prevention Enforce Data Loss Prevention Network Protect Cloud Workload Protection Endpoint Protection Cloud Endpoint Protection Small Business Edition (Cloud)


Learn how to use the Threat Analysis Scan in SymDiag to determine which files on a computer may be malware.

This is helpful when you suspect or have evidence that malware is on a computer, but anti-malware software is not able to remediate it.


Run a Threat Analysis Scan

  1. Download SymDiag to your desktop.
  2. From your desktop, double-click SymDiag to launch the application.
  3. Accept the End User License Agreement (EULA).
  4. On the Home page, under Scans > Threat Analysis, click Start Scan.

  5. In the Threat Analysis Scan window, click Next.
    The scan begins.

    Note: If a connection to the Symantec Reputation database cannot be established, a link to a proxy configuration will appear  You can run a scan without connectivity to the Symantec Reputation database; however, not all of the features available in the Threat Analysis Scan will be available. To learn more, see About the Threat Analysis Scan in SymDiag.

Review the Threat Analysis Scan results

If you run the scan with access to the Symantec Reputation database

Once the scan is complete, you will see a list of potential risks requiring further investigation.

Options include:

  • Copying files to one or more zip containers in preparation for submission to the Symantec Security Response online submission website.
  • Removing files.
  • Filtering the files.
  • Examining data collected about the files.

Note: Unless otherwise instructed—if you are working with Symantec Support—do not remove any suspicious files unless you have copied the files into a zip container. Symantec Support may request that you submit suspicious files to the proper website so that they can be analyzed by Symantec Security Response.

WARNING: Do not send any suspicious files directly to a Symantec support agent, even if they are zipped and password-protected.

If you run the scan without access to the Symantec Reputation database (or you are working directly with Symantec Support)

  1. In the upper right corner, click the Save Report tab.

  2. Under File Information, click Browse.
  3. Navigate to a folder on your computer where you want to save the report.
  4. Click Save. SymDiag saves the file with the extension .sdbz.

Note: This file does not contain any copies of suspicious files, so it is safe to send directly to Symantec Support.

To complete a scan initially performed without access to the Symantec Reputation database

When you run a scan without connectivity to the Symantec Reputation database, Symantec recommends that you run SymDiag on a computer with access to the Internet to complete the scan.

  1. Copy the saved report with the .sdbz extension to another computer with Internet access.
  2. Open SymDiag on the computer with Internet access.
  3. Click File > Open Report.
  4. Open the saved report with the .sdbz extension.
  5. Click the Threat Analysis tab.
  6. Click Complete Report.

  7. Review the Threat Analysis Scan results and take the appropriate action as described earlier in this article.

For more information about SymDiag, see Download SymDiag to detect Symantec product issues.