In ATP Manager, a user selects the action Delete File. When the user checks the ATP Action Manager to monitor the status, the Action Manager indicates that the action failed. However, when the user checks the endpoint on which the file resided, it does appear that the file was Quarantined.
Advanced Threat Protection (ATP)
Symantec Endpoint Protection (SEP)
When a file is selected for deletion in ATP, it is not actually deleted, but will be Quarantined by the selected Endpoint. See
Advanced Threat Protection (ATP) About "Action: Delete File from Endpoints" As part of this process, SEP will also attempt to clean all of the side effects of the file. If SEP can't successfully complete all of the cleaning actions, it returns a response of PARTIAL. ATP interprets PARTIAL as unsuccessful. As such, ATP indicates the action as a failure in the ATP Action Manager.
You can check the endpoint to verify if the file was Quarantined or run an endpoint search in ATP for the file on that endpoint to verify if it still exists.
File deletion succeeds on Endpoint, but Action Manager says it failed.
Subscribing will provide email updates when this Article is updated. Login is required.