Support - Platinum Support
tab end BCS Web Site divider MySupport divider Log Out navbar end
navbar end home symantec alerting service security center knowledge base navbar end
BCS Knowledge Base


Rate This Document
1x3 spacer
1x1 spacer

print this documentDocument ID:2006112010562148
Last Modified:03/28/2010

Explanation of Action field values in Symantec Endpoint Protection 11 and Symantec AntiVirus 10.1

Situation:You view information about a virus detection or a risk detection and you need to know what the entry in the "Action" field means.

Solution:The following table describes the different values that can appear in the Action field in Symantec Endpoint Protection and Symantec AntiVirus 10.1.

QuarantinedSymantec Endpoint Protection quarantined a file
DeletedSymantec Endpoint Protection deleted an object, such as a file or registry key, to remove a risk.
Backed UpSymantec Endpoint Protection placed an item into quarantine before a repair attempt.
Left AloneSymantec Endpoint Protection detected a risk but did not take action. This can occur if the first configured action is Leave alone or if the second configured action was Leave alone and the first configured action was not successful. This may mean that a risk is active on the endpoint.
CleanedSpecifies the events where the software cleaned a virus from the computer.
Cleaned (or Macro Deleted)Specifies the events where a macro virus was cleaned from a file either by deletion or some other means. This action applies only to the events that have been received from the computers that run Symantec Endpoint Protection 8.x or earlier versions.
UndoneAction taken on specified risk has been undone due to user request.
BadSymantec Endpoint Protection could not take action on a file because the file is write-protected or because the SYSTEM account lacks write permissions to the file.
Pending RepairSpecifies the events where a user still needs to take action to complete the remediation of a risk on a computer. For example, this action may occur if a user hasn't responded to a prompt to terminate a process.
Partially RepairedSpecifies the events where Symantec Endpoint Protection cannot completely repair the effects of a virus or security risk.
Process Termination pending restartSpecifies the events where a computer needs to be restarted to terminate a process to mitigate a risk.
ExcludedSpecifies the events where users chose to exclude a security risk from detection.
Restart processingThe user must restart the computer so that Symantec Endpoint Protection can complete the configured action.
Cleaned by DeletionSpecifies the events where the action configured was Clean, but a file was deleted because that was the only way it can be cleaned. For example, this action is generally needed for Trojan horse programs.
Access DeniedSpecifies the events where Auto-Protect prevented a file from being created.
Process TerminatedSpecifies the events where a process had to be terminated on a computer to mitigate a risk.
No repair availableSpecifies the events where a risk was detected but no repair is available for the side effects of this risk.
All actions failedSpecifies the events where both the primary action and the secondary action that were configured for the risk cannot be carried out. These risks are still present on the computer.
SuspiciousSpecifies the events where a TruScan Proactive Threat Scan detected a potential risk but has not remediated it. Symantec Endpoint Protection did not remediate the risk either because it cannot or because you have configured it to only log detections
Details PendingDetails are not yet available about this action.
Detected using commercial application listProcess listed on the commercial application list was detected, and an action was taken on it based on your configuration. The CAL is updated by Symantec to have known keyloggers and remote application programs updated dynamically, which you could then configure actions around.
Forced detection using file nameForced detections are detections made by TRUSCAN using a file name. This was part of the “discovery mode” of TRUSCAN being able to gather additional file information based on instructions from the console.
Forced Detection using file hashForced detection of a file based on a file hash. This is a TRUSCAN feature where an admin can configure the product to always log when a given file is detected running on a client machine based on that file’s file hash.

print this documentDocument ID:2006112010562148
Last Modified:03/28/2010

rate this document
Does this document answer your question?
Maybe, need to test
None of the above
Is this document well written and easy to use?
Submit specific suggestions to improve the quality of this document.

Product(s): Endpoint Protection 11, Symantec AntiVirus Corporate Edition 10.0, Symantec Client Security 3.1
Operating Systems(s): Windows 2000, Windows XP Home, Windows XP Professional Edition, Windows XP Tablet PC, NetWare 5.1, NetWare 6.0, NetWare 6.5, Windows XP 64-Bit Edition 2003, Windows Server 2003 32-bit Edition, Windows Server 2003 64-bit Edition, Windows XP Media Center Edition 2005
Date Created: 11/20/2006

  © 1995-2014 Symantec Corporation. All rights reserved. feedback | legal notices | privacy policy