Hi there. Am running ESM 3.0.61203.19 and have an endpoint that ESM is reporting as Infected.
Endpoint is happily reporting no infections. Quarantine is empty.
ESM is reporting nothing in its Quarantine. Full scans on the endpoint run from ESM are reporting no infections.
I did find one area of ESM that listed the “infected” file - endpoint doesn’t list the file as existing.
How do I get ESM to believe what the endpoint is telling it?
Create a Infections report on the endpoint that’s shows infected.Right Click on the endpoint->build report->computer infections.
Create an antivirus log CES/CAS log report on the endpoint and check the details.
Infected status is displayed when malware was detected by AV, but it has not been successfully handled (deleted, disinfected or quarantined) by the local installation of CES/CAS. You should find it as blocked in the CES/CAS log files. ( first action on the file detection )
The file might have been detected on a network share accessed by the endpoint.
Thought it better to respond here rather than start a new thread.
I have exactly the issue described above, an infected file on a network share. The question I have is how do I process the infection from the server? Looking at the help the only thing I can find answers that suggest you process files on the machine at the end of a scan but nothing to process a file from the ESM control to stop it appearing as infected in the list of computers?
You can create the CAV log report from ESM console, to identify the server and share. The infection should be processed on the server. If you have CAV protecting the server run a full system scan. Once network share is processed(clean), run a full system scan on the system with infected status. The status should go back to normal after the scan.