What you should know before you run Power Eraser from the Symantec Endpoint Protection Manager console
Power Eraser provides aggressive scanning and analysis to help resolve issues with heavily infected Windows computers. Because Power Eraser analysis is aggressive, it sometimes flags the critical files that you might need. Power Eraser can produce more false positives than virus and spyware scans.
You should run Power Eraser only in emergency situations, such as when computers exhibit instability or have a persistent problem. Typically, you run Power Eraser on a single computer or small group of computers. You should not run other applications at the same time. In some cases, a regular scan event alerts you to run a Power Eraser analysis.
Differences between using Power Eraser from Symantec Endpoint Protection Manager or locally with the SymHelp tool
You can run Power Eraser remotely from the management console on your Windows clients. Symantec Endpoint Protection Small Business Edition does not include an option to launch Power Eraser directly from the client. However, a user on the client computer can download the SymHelp tool and run Power Eraser from the tool.
If you use the SymHelp tool, Power Eraser detections do not appear in the Symantec Endpoint Protection Manager logs.
When you run Power Eraser from the console, Power Eraser does not examine the user-specific load points, registrations, and folders that the SymHelp tool examines.
Make sure that you do not run Power Eraser from the console and locally with the SymHelp tool at the same time. Otherwise, you might negatively affect the computer performance.
Power Eraser consumes a large amount of computer resources. Power Eraser files can also consume a large amount of space on the computer if you run Power Eraser on a computer multiple times. During each analysis, Power Eraser saves detection information in the files that it stores in the Symantec Endpoint Protection application folder. The files are purged when the client purges the logs.
How Power Eraser is different from virus and spyware scans
Power Eraser is different from regular scans in the following ways:
Unlike a full scan, Power Eraser does not scan every file on the computer. Power Eraser examines load points and load point disk locations as well as running processes and installed services.
Power Eraser detections do not appear in the Quarantine.
Power Eraser takes precedence over virus and spyware scans. When you run Power Eraser, Symantec Endpoint Protection Small Business Edition cancels any virus and spyware scan in progress.
Power Eraser does not automatically remediate detections. You must review the detection list in the Scan log or Risk log and select an action from the log. You can choose to remove the detection or mark the detection as safe (leave alone). You can also restore (undo) a removed detection.
Power Eraser can run in regular mode or in rootkit mode. The rootkit mode requires a restart before the scan launches. Also, if you choose to remove any Power Eraser detection, the computer must be restarted for the remediation to complete.
Overview of the high-level steps that you perform when you need to run Power Eraser
You perform two high-level steps when you run Power Eraser from the console:
Start a Power Eraser analysis on one computer or a small group of computers. Power Eraser does not automatically remediate any detections because of the potential for false positives.
Use the Risk log or Scan log to review Power Eraser detections and manually request that Power Eraser remove any detections that you determine are threats. You can also acknowledge the detections that you want to ignore and leave alone.
Review the workflow for details about how to run Power Eraser from the console and how to make sure that you configure the console settings correctly.
You can take action on Power Eraser detections until the logs are purged. By default, log events are available for 60 days. You cannot change the log retention setting. If the events expire, you can run another scan to re-populate the logs.
You can configure the restart settings specifically for rootkit analysis when you choose to run Power Eraser in rootkit detection mode. The administrator must have restart privileges. After you choose to remove a Power Eraser detection, the computer uses the group restart settings. Power Eraser does not use the rootkit restart settings to restart and complete a remediation.
Power Eraser uses the Symantec Insight server in the cloud when it scans and makes decisions about files. If you disable reputation queries, or if the client computer cannot connect to the Insight server, Power Eraser cannot use Symantec Insight. Without Symantec Insight, Power Eraser makes fewer detections, and the detections it makes are more likely to be false positives. Reputation queries are enabled when the Allow Insight lookups for threat detection option is enabled. The option is enabled by default.