SLAC Computer Security
Search SLAC
Symantec Endpoint Protection V11 Safe Mode Scan

To do a Symantec Endpoint Protection (SEP) scan in Windows "Safe Mode", you must be an administrator on the system you want to scan. This is typically done by an OU-Admin.

I.  Set SYSTEM RESTORE OFF

A.  Right-click c:\WINNT\system32\sysdm.cpl, select Run as …

B.  In the Run As window, select The following user, enter.

1.  User name: <choose the administrator of the system>

2.  Password: <enter the password for the account selected above>

C.  On the System Restore tab, check Turn off System Restore

Note: if you do not see the System Restore tab, you are no logged on to the Windows as an Administrator.:

D.  Click Apply

E.  When you see the confirmation message, click Yes

F.  Click OK

II. Ensure that the virus definitions file is not out-of-date.

A.  Right-click on AV icon in tray.

B.  Select Open Symantec Endpoint Protection.

C. Ensure that the program versions and the virus definition file are not out-of-date (1 below).

1.  If the virus definition file is out-of-date, use LiveUpdate (2) to update the file.

III.  Boot in SAFE MODE

A.  Restart the computer and start pressing the F8 key on the keyboard. On a computer that is configured for booting to multiple operating systems, press the F8 key when the Boot Menu appears

B.  Select an option when the Windows Advanced Options menu appears, and then press ENTER.

C. When the Boot menu appears again, and the words "Safe Mode" appear in blue at the bottom, select the Safe Mode (SAFEBOOT_OPTION=Minimal): installation and then press ENTER.

IV.  Perform full AV scan

Once the system boots up in Safe Mode, go to

A.  Start > All Programs > Symantec Endpoint Protection > Symantec Endpoint Protection, the following window will appear.  Select  No (the system is not on the network and won’t be able to connect.)

B.  In the Symantec Endpoint Protection window, in the left panel select Scan for Threats

C.  In the right panel select Full Scan

Note: The scan will start.

Note: This can take anywhere from 30 minutes to a couple of hours depending on the size of the computer’s hard disk and the number of files on the system.

V.  If NO additional risks are found.

A.  Return use of the computer.

B.  Notify Computer Security via email that the scan was clean.

VI.  If ANY additional risks are found.

A.  DO NOT let the user back on the computer.

B.  DO NOT delete the scan or risk histories

C.  Contact Computer Security

1.  Call a Computer Security team member to review the results; or

2. Export Scan and Risk logs, email scan and risk logs to computer security.

a. Select View Logs on the left panel of the Symantec Window, select View Logs from Antivirus and Antispyware Protection, then select Scan Log, double-click.date the scan was started on, select the Export, then Ok.  Give it an appropriate filename.  Do the same for the Risk Log.  Send both files to Computer Security.

3.  Wait for response from Computer Security.

VII.  If Computer Security confiscates the hard drive.

A.  Create a MainTech ticket in RT to order a replacement hard drive with the user's account charge number.

Note: Hard drives taken for forensic evaluation will be returned at the direction of HR or Legal.

 

 


 

Last Updated: August 04, 2010
Maintainer: SLAC Computer Security Group
Feedback: Please send it to SLAC SEP11 Safe Mode Scan Feedback