Endpoint Protection

I am trying I am trying to figure out where in the database the still infected status flag is set.  Currently I have a script that can check for Devices still infected and automatically create the Help Desk ticket to clean the virus.  Now I need to find out how clear this status, so when the ticket is closed the still infected status is cleared.

 I was able to find the still infected devices, using the inventorycurrentrisk & inventorycurrentvirus tables to create the tickets but when I change the deleted from 0 to 1 it does not clear the still infected status in the console.    Any help on finding out how to clear this flag via the database would be greatly appreciated.

I  searched using the remediation with the DB schema, you will have lot many tables which says infected, hence it would be difficult to know the exact field.

I would suggest to have this done from SEPM 11.X console . SEPM 12 does not have clear "still infected" status.

Hi,

Following steps are applicable in SEP 11.x

Login to the console

Monitors --> Logs --> Select log type, Computer status --> Click on view logs --> It will give you list of infected computer status --> Select all & click on clear infected status

Screenshot is attached for you reference.

I hope it will help you !!

Hello,

In your case, you may need the SEP 11 Schema.

Symantec Endpoint Protection 11.0 Database Schema

http://www.symantec.com/docs/TECH102544

and then also, Check these Articles:

1) Sweeping SEPM log data from the database manually.

http://www.symantec.com/docs/TECH105351

2) How to clear an erroneous "Still Infected" status from Reports in the Symantec Endpoint Protection Manager

http://www.symantec.com/business/support/index?page=content&id=TECH102954

3) How to delete Quarantined items from the Symantec Endpoint Protection Manager.

http://www.symantec.com/business/support/index?page=content&id=TECH106444

Hope this helps!!!

Since I already knew how to clear the status from console and gone through the database scheme with a fine tooth comb and could not find the location the console pulls this info from and could not find it.  I guess the answer is no one knows. 

This brings up another question soes anyone know how to force the computer to initiate a cleaned status to the server?

Finially found it.  Dug down into the PHP files, wasn't easy.  you can clear this status by changing the value of infected in the SEM_Agent table.  Hope this helps you all it will me

To clear the "Still Infected" status:

1. Choose Monitors from the left hand panel, and click on the Logs tab.
2. For Log Type, choose Computer Status.
3. Choose the appropriate time range, then choose View Log.
4. On the report that is generated, select any item that has a red diamond in the first column that has been verified as cleaned.
5. Click Clear Infected Status.

Thumbs up to Chetan's explanation..follow the same. 

I guess i din't explain myself very well or the explination was not being read.  I was trying to clear the infected status via the database and not the console.  I did find where this is located. 

So for all those that do work outside the console here is where it is located.  You can clear the infected status by changing the value of infected in the SEM_Agent table.