If I log out and then log in to Windows, why do I get a pop-up that reads, "Symantec Endpoint Protection detected Risks while you were logged out..."
"Symantec Endpoint Protection detected Risks while you were logged out. You may need to open the AntiVirus and Antispyware Protection Risk Log to view and take action on the risks."
This behavior has been modified in Symantec Endpoint Protection 12 Release Update 1 (RU1) Maintenance Patch 1 (MP1) so that this pop-up appears only for administrative users. Additional changes were made in Symantec Endpoint Protection 12.1.4. For information on how to obtain the latest build of Symantec Endpoint Protection, read TECH103088: Obtaining an upgrade or update for Symantec Endpoint Protection or Symantec Network Access Control.
When you see the pop-up, you should check Endpoint Protection logs to determine if AutoProtect or a scheduled scan detected threats while the user was logged off, and take action as necessary. Note that you must do this under an Administrative user account in order to see all logs. Administrative or System scan results, for example, will not be visible to limited users. If there are no threats logged, then the pop-up was caused by the DefWatch Wizard scan after a definition update.
To disable the DefWatch Wizard scan
If you want to leave this pop-up enabled, but prevent its display after definitions have been updated when no one is logged on, disabled the DefWatch Wizard's scan of items in quarantine. This can be done by editing policy in the Endpoint Protection Manager: Antivirus and Antispyware policy->Quarantine settings, and set "When New Virus Definitions Arrive" to "Do nothing." On SEP Small Business Edition, or on unmanaged clients, this setting is not available in the GUI and you must set the following registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine\DefWatchMode=3 (REG_DWORD).
0 Automatically repair and restore files in Quarantine silently
1 Repair the files in Quarantine silently without restoring
2 Prompt user
3 Do nothing
There have been reports that this pop-up still appears when the DefWatch Wizard scan is disabled and no threats are logged. These reports are being investigated by Symantec and this article will be updated as necessary.
To disable the pop-up entirely
This pop-up may be disabled entirely in Symantec Endpoint Protection 11 RU5. In those versions, the pop-up is controlled by the following registry value on the client:
HKLM\Software\Symantec\Symantec Endpoint Protection\AV\AdministratorOnly\General\NotificationWhenLoggedOff
(DWORD: 1=enabled, 0=disabled)
Managed clients can be configured by using the checkbox in Endpoint Protection Manager policy: Antivirus and AntiSpyware policy->Administrator-Defined Scans ->Advanced, uncheck the checkbox "Display notifications about detections when the user logs on".
On Endpoint Protection Manager 12.x and 14.x, the checkbox in Endpoint Protection Manager policy > Virus and Spyware Protection policy > Advanced Options > Global Scan Options, uncheck the checkbox "Display notifications about detections when the user logs on".