Action field values for Endpoint Protection 12.1 and 14
Last Updated March 05, 2019
You view information about virus detection or risk detection and you need to know what the entry in the "Action" field means.
The following table describes the different values that can appear in the Action field in Symantec Endpoint Protection.
View events where the Auto-Protect portion of Symantec Endpoint Protection prevented a file from being created.
View events where the action was taken was invalid. These risks may still be present on the computer.
All actions failed or failed to repair
View events where both the primary action and the secondary action that is configured for the risk cannot be carried out for some reason.
View events where scan engine failure occurred for an unspecified reason. These risks may still be present on the computer.
View events where the software cleaned a virus from the computer.
Cleaned by deletion
View events where the action configured was "clean," but a file was deleted because that was the only way to clean it. For example, this action is generally needed for Trojan horse programs.
Cleaned or macros deleted
View the events where a macro virus was cleaned from a file either by deletion or some other means. This action applies only to events that have been received from computers running Symantec AntiVirus 8.x or earlier versions.
Deleted or removed
View the events where the software deleted an object, such as a file or a registry key, to remove risk.
View the events where users chose to exclude a security risk from detection. For example, this action can occur when a user is prompted for permission to terminate a process.
Specifies the events where the risk was left alone. This action can occur if the first configured action is Leave alone. This action can also occur if the second configured action is Leave alone and the first configured action is not successful. This action may mean that risk is active on the computer.
No repair available
View the events where the risk was detected but no repair is available for the side effects of this risk.
No repair available - Power Eraser recommended for repair
View the events where a scan could not repair the side effects of certain detections. You should run Power Eraser on the computers where these events occur. After Power Eraser detects the threat, you must manually initiate the repair.
View the events where Symantec Endpoint Protection cannot completely repair the effects of a virus or security risk.
Pending repair or Pending admin action
View the events where a user or administrator should take action to complete the remediation of a risk on a computer. For example, the Pending repair action might occur if a user hasn't responded to a prompt to terminate a process. Pending admin action occurs when Power Eraser requires the administrator to perform some action from the logs in the console.
View the events where a process had to be terminated on a computer to mitigate risk.
Process termination pending restart
View the events where a computer needs to be restarted to terminate a process to mitigate risk.
View the events where Symantec Endpoint Protection quarantined a virus or a security risk.
View the Power Eraser events that the administrator deleted but then chose to restore.
View the events where a SONAR scan detected a potential risk but has not remediated it, either because it cannot or because you have configured it to only log detections.
Threat blocked - Power Eraser recommended for repair
View the events where a scan detected and blocked a threat but did not remove or repair any files. You should run Power Eraser on the computers where these events occur. After Power Eraser detects the threat, you must manually initiate the repair.
Restart required - Quarantined
View the events that require a restart after scans quarantine risks.
Restart required - Cleaned
View the events that require the client computer to restart after scans clean the risks.
Left alone by Admin
View the Power Eraser events that the administrator reviewed but chose to leave alone and not remediate. Note that this event action is not sent to the client. The corresponding event on the client in the client log view continues to show the event action as "Pending analysis."