Symantec Endpoint Protection detected risks while you were logged out
Last Updated May 23, 2017
If I log out and then log in to Windows, why do I get a pop-up that reads, "Symantec Endpoint Protection detected Risks while you were logged out..."
"Symantec Endpoint Protection detected Risks while you were logged out. You may need to open the AntiVirus and Antispyware Protection Risk Log to view and take action on the risks."
A scheduled scan may have run while the user was not logged in and detected threats.
AutoProtect may have detected a risk: e.g. while the user was logged out, the machine may have been accessed by an administrator or other user via Remote Admin tools (RDP, etc). Note that disabling AutoProtect notifications does not disable this pop-up
AntiVirus Definitions may have been updated while user was logged off. After definition updates, DWHWizrd.exe (DefWatch Wizard) scans items in quarantine to determine if they can be repaired. If items are in quarantine, this will also cause the pop-up and may cause additional confusion because it does not create new risk log entries. Note that the DefWatch Wizard scan of Quarantine items is separate from the DefWatch Quickscan, and disabling the Defwatch Quickscan will not prevent the DefWatch Wizard scan.
When you see the pop-up, you should check Endpoint Protection logs to determine if AutoProtect or a scheduled scan detected threats while the user was logged off, and take action as necessary. Note that you must do this under an Administrative user account in order to see all logs. Administrative or System scan results, for example, will not be visible to limited users. If there are no threats logged, then the pop-up was caused by the DefWatch Wizard scan after a definition update.
To disable the DefWatch Wizard scan
If you want to leave this pop-up enabled, but prevent its display after definitions have been updated when no one is logged on, disabled the DefWatch Wizard's scan of items in quarantine. This can be done by editing policy in the Endpoint Protection Manager: Antivirus and Antispyware policy->Quarantine settings, and set "When New Virus Definitions Arrive" to "Do nothing." On SEP Small Business Edition, or on unmanaged clients, this setting is not available in the GUI and you must set the following registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine\DefWatchMode=3 (REG_DWORD).
DefWatchMode value action 0 Automatically repair and restore files in Quarantine silently 1 Repair the files in Quarantine silently without restoring 2 Prompt user 3 Do nothing
There have been reports that this pop-up still appears when the DefWatch Wizard scan is disabled and no threats are logged. These reports are being investigated by Symantec and this article will be updated as necessary.
To disable the pop-up entirely
This pop-up may be disabled entirely in Symantec Endpoint Protection 11 RU5. In those versions, the pop-up is controlled by the following registry value on the client:
Managed clients can be configured by using the checkbox in Endpoint Protection Manager policy: Antivirus and AntiSpyware policy->Administrator-Defined Scans ->Advanced, uncheck the checkbox "Display notifications about detections when the user logs on".
On Endpoint Protection Manager 12.x and 14.x, the checkbox in Endpoint Protection Manager policy > Virus and Spyware Protection policy > Advanced Options > Global Scan Options, uncheck the checkbox "Display notifications about detections when the user logs on".
Cannot disable logon notification "SEP detected risks while you were logged out"
ID: Etrack 2529730
"SEP detected risks while logged out", nothing in logs, and DefWatch Wizard scan is disabled
In the SEP 12.1 released version. You get the following message "Symantec Endpoint Protection detected Risks while you were logged out" on a popup when you login. But when you check, there's nothing in the risk log.
This is fixed in 12.1_RU1_MP1 as per etrack 2529730
From etrack: "Now, only the first admin user will be able to see the toaster popup. Meaning that if you have non-admin users logging into system and then a admin user logging in, the admin user should still be able to see the toaster. And after that the toaster will be disabled. So after that if another admin user log in again, he/she will not see the same toaster any more. And yes the entry will be stored into client logs so all admin users should be able to see it whenever they log in. If not then it should be another defect."
Unable to disable the "Threats were detected while you were logged out" message
Imported Document ID: TECH105373
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe