Power Eraser provides aggressive scanning and analysis to help resolve issues with heavily infected Windows computers. Because Power Eraser analysis is aggressive, it sometimes flags the critical files that you might need. Power Eraser can produce more false positives than virus and spyware scans.
You should run Power Eraser only in emergency situations, such as when computers exhibit instability or have a persistent problem. Typically, you run Power Eraser on a single computer or small group of computers. You should not run other applications at the same time. In some cases, a regular scan event alerts you to run a Power Eraser analysis.
Differences between using Power Eraser from Symantec Endpoint Protection Manager or locally with the SymDiag tool
You can run Power Eraser remotely from the management console on your Windows clients. Symantec Endpoint Protection does not include an option to launch Power Eraser directly from the client. However, a user on the client computer can download the SymDiag tool and run Power Eraser from the tool.
If you use the SymDiag tool, Power Eraser detections do not appear in the Symantec Endpoint Protection Manager logs.
When you run Power Eraser from the console, Power Eraser does not examine the user-specific load points, registrations, and folders that the SymDiag tool examines.
Make sure that you do not run Power Eraser from the console and locally with the SymDiag tool at the same time. Otherwise, you might negatively affect the computer performance.
Power Eraser consumes a large amount of computer resources. Power Eraser files can also consume a large amount of space on the computer if you run Power Eraser on a computer multiple times. During each analysis, Power Eraser saves detection information in the files that it stores in the Symantec Endpoint Protection application folder. The files are purged when the client purges the logs.
Power Eraser is different from regular scans in the following ways:
Unlike a full scan, Power Eraser does not scan every file on the computer. Power Eraser examines load points and load point disk locations as well as running processes and installed services.
Power Eraser detections do not appear in the Quarantine.
Power Eraser takes precedence over virus and spyware scans. When you run Power Eraser, Symantec Endpoint Protection cancels any virus and spyware scan in progress.
Power Eraser does not automatically remediate detections. You must review the detection list in the Scan log or Risk log and select an action from the log. You can choose to remove the detection or mark the detection as safe (leave alone). You can also restore (undo) a removed detection.
Power Eraser can run in regular mode or in rootkit mode. The rootkit mode requires a restart before the scan launches. Also, if you choose to remove any Power Eraser detection, the computer must be restarted for the remediation to complete.
You perform two high-level steps when you run Power Eraser from the console:
Start a Power Eraser analysis on one computer or a small group of computers. Power Eraser does not automatically remediate any detections because of the potential for false positives.
Use the Risk log or Scan log to review Power Eraser detections and manually request that Power Eraser remove any detections that you determine are threats. You can also acknowledge the detections that you want to ignore and leave alone.
Review the workflow for details about how to run Power Eraser from the console and how to make sure that you configure the console settings correctly.
The following are the policy settings that affect Power Eraser:
Scan settings for user interaction
When you let users cancel any virus and spyware scan, you also let them cancel any Power Eraser analysis. However, users cannot pause or snooze Power Eraser.
Power Eraser honors the following virus and spyware exceptions: file, folder, known risk, application, and trusted web domain. Power Eraser does not honor extension exceptions.
Log retention settings
You can take action on Power Eraser detections as long as the detections appear in the logs. The logs are purged after the period of time that is specified in the Virus and Spyware Protection policy. By default, log events are available for 14 days. You can modify the log retention setting, or after the events expire, you can run another scan and re-populate the logs.
You can configure the restart settings specifically for rootkit analysis when you choose to run Power Eraser in rootkit detection mode. The administrator must have restart privileges. After you choose to remove a Power Eraser detection, the computer uses the group restart settings. Power Eraser does not use the rootkit restart settings to restart and complete a remediation.
Power Eraser uses the Symantec Insight server in the cloud when it scans and makes decisions about files. If you disable reputation queries, or if the client computer cannot connect to the Insight server, Power Eraser cannot use Symantec Insight. Without Symantec Insight, Power Eraser makes fewer detections, and the detections it makes are more likely to be false positives. Reputation queries are enabled when the Allow Insight lookups for threat detection option is enabled. The option is enabled by default.
Symantec Endpoint Protection sends the information about Power Eraser detections to Symantec when the Antivirus detections option is enabled. The option is enabled by default.