Endpoint Protection

 View Only

  • 1.  Clean and clean by deletion

    Posted Jan 21, 2013 03:06 AM

    Hi Symantec support


    We test with EICAR.com event
    In Anto-Protect policy, we select first action is Clean risk, and second action is Leave alone.
    In the risk log, we found the Action is Cleaned by deletion and Status is deleted and current location is deleted.
    May we know why the result is cleaned by deletion instead of clean ?
    Refer to KB to  http://www.symantec.com/business/support/index?page=content&id=TECH102052
    For example, this action is generally needed for Trojan horse programs. 

    In our case, it is not Trojan horse programs.

    On File sharing server, do you recomment to select action as "Leave alone" only if Clean action will delete file in some cases.



  • 2.  RE: Clean and clean by deletion

    Broadcom Employee
    Posted Jan 21, 2013 03:11 AM

    set to Quarantine/Delete as per best practise

    http://www.symantec.com/business/support/index?page=content&id=TECH122943

     



  • 3.  RE: Clean and clean by deletion

    Posted Jan 21, 2013 03:31 AM

    but we don't want any deletion actions, but want to clean virus.



  • 4.  RE: Clean and clean by deletion

    Posted Jan 21, 2013 03:31 AM

     

    HI,

    Check this thread (Check Rafeeq and Vikram Comments)

    https://www-secure.symantec.com/connect/forums/what-does-cleaned-deletion-mean



  • 5.  RE: Clean and clean by deletion

    Posted Jan 21, 2013 03:33 AM

    Some clarifications to that:

    http://www.symantec.com/docs/TECH102052



  • 6.  RE: Clean and clean by deletion

    Broadcom Employee
    Posted Jan 21, 2013 04:11 AM

    Specifies the events where the action configured was Clean, but a file was deleted because that was the only way it can be cleaned. For example, this action is generally needed for Trojan horse programs.

    based on article you have posted.



  • 7.  RE: Clean and clean by deletion

    Trusted Advisor
    Posted Jan 21, 2013 08:17 AM

    Hello,

    Could you have the First action as "Leave Alone (log only) and check what happens??

    In your case, The First Action is "Clean Risk" and when Symantec detects this Threat and cannot clean it, it "Cleans by Deletion".

    Cleaned by Deletion - Specifies the events where the action configured was Clean, but a file was deleted because that was the only way it can be cleaned. For example, this action is generally needed for Trojan horse programs.

    Here above the Example is for general cases.

    Check this Article:

    Explanation of Action field values in Symantec Endpoint Protection 12.1 and 11, and Symantec AntiVirus 10.1

    http://www.symantec.com/docs/TECH102052

    Hope that helps!!



  • 8.  RE: Clean and clean by deletion

    Posted Jan 21, 2013 03:27 PM

    "Cleaning" only works when an otherwise good file is infected with malicious code; the malicious code is removed and the original file is restored (in most circumstances). If a threat is nothing but malicious code, there is nothing to clean, so instead, it is deleted.

    sandra