INFO: Explanation of Action field values in Symantec Endpoint Protection logs

From Symantec KB article: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2006112010562148

<

p>The following table describes the different values that can appear in the Action field in Symantec Endpoint Protection and Symantec AntiVirus 10.1.

Action

Description

Quarantined

Symantec Endpoint Protection quarantined a file

Deleted

Symantec Endpoint Protection deleted an object, such as a file or registry key, to remove a risk.

Backed Up

Symantec Endpoint Protection placed an item into quarantine before a repair attempt.

Left Alone

Symantec Endpoint Protection detected a risk but did not take action. This can occur if the first configured action is Leave alone or if the second configured action was Leave alone and the first configured action was not successful. This may mean that a risk is active on the endpoint.

Cleaned

Specifies the events where the software cleaned a virus from the computer.

Cleaned (or Macro Deleted)

Specifies the events where a macro virus was cleaned from a file either by deletion or some other means. This action applies only to the events that have been received from the computers that run Symantec Endpoint Protection 8.x or earlier versions.

Undone

Action taken on specified risk has been undone due to user request.

Bad

Symantec Endpoint Protection could not take action on a file because the file is write-protected or because the SYSTEM account lacks write permissions to the file.

Pending Repair

Specifies the events where a user still needs to take action to complete the remediation of a risk on a computer. For example, this action may occur if a user hasn’t responded to a prompt to terminate a process.

Partially Repaired

Specifies the events where Symantec Endpoint Protection cannot completely repair the effects of a virus or security risk.

Process Termination pending restart

Specifies the events where a computer needs to be restarted to terminate a process to mitigate a risk.

Excluded

Specifies the events where users chose to exclude a security risk from detection.

Restart processing

The user must restart the computer so that Symantec Endpoint Protection can complete the configured action.

Cleaned by Deletion

Specifies the events where the action configured was Clean, but a file was deleted because that was the only way it can be cleaned. For example, this action is generally needed for Trojan horse programs.

Access Denied

Specifies the events where Auto-Protect prevented a file from being created.

Process Terminated

Specifies the events where a process had to be terminated on a computer to mitigate a risk.

No repair available

Specifies the events where a risk was detected but no repair is available for the side effects of this risk.

All actions failed

Specifies the events where both the primary action and the secondary action that were configured for the risk cannot be carried out. These risks are still present on the computer.

Suspicious

Specifies the events where a TruScan Proactive Threat Scan detected a potential risk but has not remediated it. Symantec Endpoint Protection did not remediate the risk either because it cannot or because you have configured it to only log detections

Details Pending

Details are not yet available about this action.

Detected using commercial application list

Process listed on the commercial application list was detected, and an action was taken on it based on your configuration. The CAL is updated by Symantec to have known keyloggers and remote application programs updated dynamically, which you could then configure actions around.

Forced detection using file name

Forced detections are detections made by TRUSCAN using a file name. This was part of the “discovery mode” of TRUSCAN being able to gather additional file information based on instructions from the console.

Forced Detection using file hash

Forced detection of a file based on a file hash. This is a TRUSCAN feature where an admin can configure the product to always log when a given file is detected running on a client machine based on that file’s file hash.

Leave a Reply

Your email address will not be published. Required fields are marked *