Clean infected machine?

  • 15 March 2012
  • 6 replies

I'm getting an alert
"1 Endpoint needs attention We recommend you check whether this endpoint has automatic remediation enabled on the assigned policy."
I've checked the settings and I see nothing called "Automatic remediation". 
I've tried running another scan and it still just says it's infected.  I've also tried using the cleanup command but that doesn't work either.  If I click on the actual threat, the only option is "Create override".  What am I supposed to do?  So far it's not very straight forward. Where is the clean command?  How can I make sure it's been quarantined?

Best answer by pcman 21 March 2012, 01:34

View original

6 replies

Userlevel 3
I would recommend contacting the Enterprise Support team and they should be able to get you up and running again.
Contacting Webroot Enterprise Support
Userlevel 4
Hi Robert,
Welcome to the Webroot Community !
The settings to have the client automatically remove or quarantine files that are infected are controlled by the Policies that you create via the Management Console.  For detailed information on Policies and the various settings you can control, please see section 7 in the  SecureAnywhere Endpoint Protection Administrator Guide
The Administrator Guide contains a wealth of information about how to configure the Endpoints and how to make sure that infections are removed or quarantined.
Please read through this guide and if there are still some aspects that you do not understand, please submit a Support Ticket via the link below.
Create a Support Ticket for SecureAnywhere Endpoint Protection
Thanks for the responses.  I was hoping for more specific settings to check.  I've looked at the policies and found
Automatically remove threats found during background scans - on
Automatically remove threats found on the learning scan - off
Behavior Shield
Automatically perform the recommended action instead of showing warning messages - off
There are a few possibilities here.
1. If you have "Never reboot during malware cleanup" turned on in your policy settings then it's possible that a reboot is required to complete the cleanup process. This means that the infection  is still there when the endpoint scans until the next reboot. Triggering a reboot of the endpoint and making sure it scans on reboot might resolve the issue (if the agent is pending a reboot during cleanup it should automatically scan again after the reboot).
2. If this option to never reboot is not enabled then the agent will still prompt the user to reboot if a reboot is needed to remove the malware - it is possible that the end user has not yet clicked on OK to reboot when SecureAnywhere displayed the message to the user (which is the default setting)
3. If cleanup has completed and a reboot has occurred and SecureAnywhere still detects malware (especially if it's the same malware) it is possible that there is another malicious file on the computer that SecureAnywhere does not detect and so upon removing the 'known' malware the 'unknown malware might drop it again recreating the infection. In this scenario it is recommended that you contact customer support so that they can investigate and identify any unknown malware and ensure that detection for that is added so that cleanup can be successful.
In either case if you are still unable to remediate the infection I recommend you contact our support team and they will be more than happy to help you resolve the issue.
Thanks for the reply.  I ended up changing this setting to ON "Automatically remove threats found on the learning scan".  I'm not sure if I should leave it enabled or not.
I also rebooted and adventually the machine is showing as clean so I'm not sure what did it, rebooting and waiting awhile or changing that setting above to ON.
The learning scan is the first scan that occurs when you first install SecureAnywhere. By enabling "Automatically remove threats found on the learning scan" this means that if any infections are found when you initially roll out SecureAnywhere the cleanup process will start (although it still might require a reboot depending on the type of infection found).
The default for this option is off to allow people to 'evaluate' the infections in their environment upon first rolling out SecureAnywhere. You have to consider that the computer is already infected ; the damage is done so to speak and so it might be a good idea to analyze the overall threat status of your machines to see if there is a common reason why all the computers were infected to begin with (perhaps all the machines that were already infected when you rolled out SecureAnywhere did not have the latest Windows Updates) - it is simply a best practice option but by all means if you want to remediate infections immediately upon rolling out SecureAnywhere then enabling  "Automatically remove threats found on the learning scan" will do the trick.
Considering that the status appears to be green  / protected after the reboot this suggests that a reboot was required to complete the cleanup process and explains why all the scans that occurred before the reboot would still have reported the infection.
There are policy options to automatically reboot during cleanup however this can be frustrating for end users if they are in the middle of something which is why it is disabled by default.
Thanks for letting us know that you resolved the issue this along with our tips should hopefully provide guidelines for others who encounter a similar scenario.