Symantec Endpoint Protection detected risks while you were logged out
search cancel

Symantec Endpoint Protection detected risks while you were logged out

book

Article ID: 151572

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

When logging into a Windows the following notification may appear.

"Symantec Endpoint Protection detected Risks while you were logged out. You may need to open the AntiVirus and Antispyware Protection Risk Log to view and take action on the risks."

Cause

  • A scheduled scan may have run while the user was not logged in and detected threats. 
     
  • AutoProtect may have detected a risk: e.g. while the user was logged out, the machine may have been accessed by an administrator or other user via Remote Admin tools (RDP, etc). Note that disabling AutoProtect notifications does not disable this pop-up
     
  • AntiVirus Definitions may have been updated while user was logged off. After definition updates, DWHWizrd.exe (DefWatch Wizard) scans items in quarantine to determine if they can be repaired. If items are in quarantine, this will also cause the pop-up and may cause additional confusion because it does not create new risk log entries.  Note that the DefWatch Wizard scan of Quarantine items is separate from the DefWatch Quickscan, and disabling the Defwatch Quickscan will not prevent the DefWatch Wizard scan.
     

Resolution

When you see the pop-up, you should check Endpoint Protection logs to determine if AutoProtect or a scheduled scan detected threats while the user was logged off, and take action as necessary. Note: You must do this under an Administrative user account in order to see all logs. Administrative or System scan results, for example, will not be visible to limited users. If there are no threats logged, then the pop-up was caused by the DefWatch Wizard scan after a definition update.

To disable the DefWatch Wizard scan

If you want to leave this pop-up enabled, but prevent its display after definitions have been updated when no one is logged on, disabled the DefWatch Wizard's scan of items in quarantine. This can be done by editing the policy in the Endpoint Protection Manager: Antivirus and Antispyware policy->Quarantine settings, and set "When New Virus Definitions Arrive" to "Do nothing." On SEP Small Business Edition, or on unmanaged clients, this setting is not available in the GUI and you must set the following registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine\DefWatchMode=3 (REG_DWORD).

DefWatchMode
value  action
0          Automatically repair and restore files in Quarantine silently
1          Repair the files in Quarantine silently without restoring
2          Prompt user
3          Do nothing


To disable the pop-up entirely

1. Managed clients can be configured by using the checkbox in Endpoint Protection Manager policy: Antivirus and AntiSpyware policy->Administrator-Defined Scans ->Advanced, uncheck the checkbox "Display notifications about detections when the user logs on".

2. On Endpoint Protection Manager 14.x, the checkbox in Endpoint Protection Manager policy > Virus and Spyware Protection policy > Advanced Options > Global Scan Options,  uncheck the checkbox "Display notifications about detections when the user logs on".