Best practice for collecting logs on a possibly infected computer
Last Updated October 22, 2018
A computer is showing the symptoms of possible infection. The Symantec Endpoint Protection (SEP) client is not detecting any malicious files.
What are the best practices for collecting logs on a possibly infected computer?
If a computer is suspected of being infected, perform a full system scan upon it with the latest Rapid Release definitions. Check the logs after to see if any threats have been detected. Also review the logs for SONAR and IPS detections.
If nothing has been detected, run a SymHelp diagnostic with Threat Analysis Scan (TAS) to see if any suspicious files are found. The SymHelp tool generates a .sdbz file of several important logs and reports. It is the recommended tool to collect logs from computers that are potentially infected. For details please see How to run the Threat Analysis Scan in Symantec Help (SymHelp).
If there are suspicious files identified by the tool, submit those to Symantec Security Response for analysis. (Do not send any suspicious files directly to Symantec Technical Support via email or any other method.) After that is done, the computer should be isolated from the network to prevent the spread of any potential infection. Keep the system isolated until the files have been examined and any new definitions against any confirmed threats are released.
Imported Document ID: TECH165403
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe