search cancel

Some Infected files are left alone by Endpoint Protection for Mac

book

Article ID: 163649

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Symantec Endpoint Protection (SEP) for Mac may detect many files as infected but result is "Left alone" even though "Auto quarantine" is enabled.

Examples:

  • A user mounts a DMG file and attempt to install from or copy files from it to the local filesystem. SEP Auto-Protect prevents this action from taking place, but leaves the infected DMG file alone. Additionally, directly scanning the DMG file may not result in a detection.
  • Windows risks in EXE files may be detected but "Left alone"

Environment

SEP for Mac

Cause

This behavior is as designed. Many computer file formats are archival types (e.g. compressed files, client email stores, database files, etc) and threats that are detected may actually be items within the archive. SEP cannot safely delete or quarantine individual items in some archival formats, and chooses to leave such files alone rather than taking the riskier action of deleting or quarantining the entire archive. A manual scan of an archive may not detect any threat because the format is proprietary and can only be scanned when mounted or opened by the supporting operating system or application. 

Threats that are specific to other operating systems may also be left alone, since the threat detected does not affect Mac OS and it may be riskier to delete a file that another operating system may depend upon.

Resolution

It is recommended that "Left alone" instances be examined on a case-by-case basis and deleted manually only after careful consideration.