Endpoint Protection

 View Only

Symantec Endpoint Recovery Tool (SERT) 

Mar 22, 2013 03:29 PM

Hello,

The Symantec Endpoint Recovery Tool (SERT) is a bootable CD that can scan and remove malware from an infected computer. SERT is useful in situations where computers are too heavily infected for the Symantec Endpoint Protection client installed upon them to clean effectively. It is also necessary against specific threats which have the ability to completely hide from Windows, or that have techniques that manipulate Windows into protecting the malicious process against Symantec Endpoint Protection's scanning and remediation components.

Symantec Technical Support can provide guidance on when it is recommended to use SERT.

Current Version : Symantec Endpoint Recovery Tool 2.0.24

New functionality:

  • SERT no longer downloads new virus definitions automatically on launch, instead it waits until you start a scan. If you have already provided updated definitions on a USB stick, it does not initiate the download
  • SERT now includes PCAnywhere ThinClient to enable remote control of the machine to be scanned
  • SERT now includes support for Symantec Endpoint Encryption 8.0 and earlier
  • SERT now has better rootkit remediation capabilities

To use the Symantec Endpoint Recovery Tool

1) On a computer that is not infected, and that has a CD burner, go to FileConnect and download the Symantec Endpoint Recovery Tool.iso file.

sert_fileconnect_latest_offerings.png
 

2) Burn the image onto a CD or DVD.

For full details, read: Symantec Endpoint Recovery Tool (SERT) download comes as an ISO (disk image), How do I use this?

1_0.JPG

 

2.JPG


 

3) Download the latest virus definition .jdb file from Symantec Security Response.

There are two types of virus definitions you can download: Daily Certified Definitions and Rapid Release Definitions. The links to both definitions are listed below.

13.JPG

 

  • Rapid Release definitions contain newer, more up-to-date definitions than Daily Certified Definitions. They are generally recommended in cases of virus infections. Rapid Release definitions are typically used on a case-by-case basis and are not recommended for everyday use across the entire environment. Rapid Release definitions have not been tested as thoroughly as Daily Certified Definitions. http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr

14.JPG

 

4) Using an unzipping utility, unzip the .jdb file into a new folder.

Note: It is possible to use the built-in Windows unzip utility to unzip the .jdb file. To do so, change the file extension on the .jdb file to .zip, right-click the file, and click "Extract All...".

5) After the .jdb is uncompressed, place the folder on a removable storage device or in at the root of the infected computer's hard drive so that the Symantec Endpoint Recovery Tool can access the definitions.

6) Confirm that the infected computer boots from CD or removable media first. Please refer to the computer's manual for information on configuring the computer appropriately.

7) Boot the infected computer from the SERT disc created in step 2.

 

3_0.jpg

 

8) Click Continue loading Endpoint Recovery Tool

01.png

 

5_1.jpg

 

9) Select a language and click OK

.02.png

 

10) When presented with the Symantec Software License Agreement, Insert the PIN and click I Agree. 

NOTE: Symantec customers with a valid support contract may contact Technical Support for the necessary PIN.

http://www.symantec.com/docs/TECH159200

7_0.jpg
 

5_1.jpg

11) If a network connection is not available, you can use the "Browse for Virus Definitions" in the lower right. The Step 3, 4 and 5 explains how to download the .jdb file and extract the files on the USB drive. SERT no longer downloads new virus definitions automatically on launch; instead it waits until you start a scan.

If you have already provided updated definitions on a USB stick, it does not initiate the download. (Definitions included with 2.0.24 are dated 25 March 2013. Some of these images were taken without a network connection.)

9.jpg

 

12) Verify that the virus definitions have been loaded by looking in the lower right-hand corner of the screen. Virus definitions current as of should reflect the current date.

 

10.jpg

 

13) Make sure that Save scan session information is checked.

Saving the scan session allows you to undo any modifications made by the tool.

If needed, you can change the location where the scan session information will be stored. To do so, click  Change location and select the preferred location.

14) Click Start Scan.

10a_0.png

 

15) This is the interface you see when the scan is running.

 

10b_0.png

 

 

Menu options:

Advanced: includes only "Launch Command Prompt":

10e_0.png

 

About: Shows the following:

11.jpg

 

To undo a previous scan

Warning: This action will also restore any threats and other security risks removed during the scan.

  1. If you need to undo the actions of a previous scan, in the main screen, click Undo.
  2. Select the session you want to restore, and click Undo.

12.jpg

 

NOTE: Security administrators interesting in enhancing the capabilities of SERT may be interested in the Connect Forum article on 

How to Customize Symantec Endpoint Recovery Tool (3rd Party Utility Integration)

https://www-secure.symantec.com/connect/articles/how-customize-symantec-endpoint-recovery-tool-3rd-party-utility-integration

The above document contains detailed instructions about how to boot SERT from a USB, how to add additional third-party functionality, and how to update SERT's definitions.  

Please do note that this white paper is unsupported and Symantec Technical Support cannot offer assistance on those steps.

 

For convenience, here are links to Symantec's brief articles containing the supported steps:

System Requirements documentation for the Symantec Endpoint Recovery Tool (SERT) 

http://www.symantec.com/docs/TECH134882

Symantec Endpoint Recovery Tool (SERT) download comes as an ISO (disk image). How do I use this? 

http://www.symantec.com/docs/TECH131685

How to make the Symantec Endpoint Recovery Tool boot from a USB memory stick

http://www.symantec.com/docs/TECH131578

What does the full scan from the Symantec Endpoint Recovery Tool (SERT) CD scan ? 

http://www.symantec.com/docs/TECH150491

How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions

http://www.symantec.com/docs/TECH131732

VIDEO: 

Symantec Endpoint Recovery Tool (SERT)

https://www-secure.symantec.com/connect/videos/symantec-endpoint-recovery-tool-sert

Statistics
0 Favorited
58 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Nov 22, 2019 10:32 AM

Hi Harold,

Someone asked about it a few days ago - the official answer is "The SERT tool has long been retired.  Running a SymDiag Threat Analysis Scan is a better option."

https://www.symantec.com/connect/forums/how-get-copy-symantec-endpoint-recovery-tool-sert#comment-12228491

Nov 21, 2019 05:01 PM

Hello, I know it's an old post but is this tool still working with SEP 14?

If so, where can I download from?

Thanks

Sep 30, 2016 01:08 PM

Symantec Endpoint Recovery Tool 2014 is no longer supported and has been removed from Symantec FileConnect. Please use one of the following alternatives:

  1. To scan workstations use the Norton Bootable Recovery Tool - https://security.symantec.com/nbrt/nbrt.aspx
  2. To scan servers use the Symantec Diagnostic Tool's Threat Analysis Scan with "Scan for root kits" option enabled - 
    About the Threat Analysis Scan in SymDiag - http://www.symantec.com/docs/TECH215550
    Identify suspicious files with the Threat Analysis Scan in SymDiag - http://www.symantec.com/docs/TECH215519
    Using Today's SymDiag to Combat Today's Threats - http://www.symantec.com/connect/articles/using-todays-symhelp-combat-todays-threats

Nov 26, 2014 07:37 AM

No. SERT doesnot have a pgpwde client to authenticate on disks.

Nov 05, 2014 09:44 AM

Is there a way to scan with SERT, the SED encrypted disks???
Does SERT have a "pgpwde" client to authenticate on disk, and later run the scan??

Thanks in advice.

Sep 25, 2014 01:44 AM

Sorry my english is very poor... 

I try to do multiboot flash on grab4dos. I copy SERT.iso in /boot on flash. Unziping *.jdb on /new folder on my flash. Then i trying to boot from lash.   booting booting and than I see "Norton bootable recovery tool failed to launch. Required file not found. Program wiil exit. ERR - 0001".

Oct 23, 2013 10:12 AM

How long would you expect a scan to take on a windows 7 build?

 

Ran a test scan on 2x laptops to familiarise myself (no viruses) and the scan literally finished in seconds (0 items scanned), is this right?

 

Thanks, Steve

 

Oct 22, 2013 01:53 AM

That's really superb!!

Oct 03, 2013 05:53 AM

Hi

50 percent aggreed  with azasadny

 

Sep 18, 2013 12:55 PM

I've never had this tool help me in any way. Norton Power Eraser (NPE) is running about 50% effective, but SERT has never assisted me in remediating a client.

Sep 12, 2013 01:54 PM

Awesome write up.  Thanks!

Sep 04, 2013 02:33 PM

Why not?

Sep 04, 2013 02:30 PM

Good write-up, but not a very useful tool...

Jun 17, 2013 05:32 AM

Hi,

thanks for sharing info.

May 21, 2013 12:16 PM

One alternative to this SERT tool is Power Eraser.  Here's a good article:

Symantec Power Eraser using Symantec Help (SymHelp) Tool.
https://www-secure.symantec.com/connect/articles/symantec-power-eraser-using-symantec-help-symhelp-tool

May 21, 2013 06:50 AM

Nice. Much informative.

Regards

Ajin

Apr 25, 2013 04:34 AM

Hi Mithun,

Thumbs up for your article.

Very nice and simple article..!!!!!     Cheersssssss!!!!!!!!

Apr 25, 2013 03:31 AM

Thanks for the article.It was helpful.

Apr 01, 2013 01:40 PM

Hello,

I agree. However, this is by design.

Apr 01, 2013 01:37 PM

Thanks Mithun for the Wonderful Article with Proper Screenshots.

Apr 01, 2013 01:26 PM

Doesn't having access to FileConnect make the assumption that you already have a valid support contract? You need to enter a serial number to download anything from FileConnect, which is provided by support.

Apr 01, 2013 01:19 PM

Hello,

The PIN is required so as to understand you are carrying a valid support contract.

Secondly, once the SERT is downloaded from the Fileconnect, you may create a DVD. You can pass on the PIN number to your collegues who are using the SERT tool.

Hope that helps!!

Mar 30, 2013 01:28 PM

Understood but without having a FileConnect serial number, you can't even get the tool.

Mar 30, 2013 01:16 PM

yes Brian, the PIN is necessary
http://www.symantec.com/docs/TECH159200

Mar 30, 2013 12:39 PM

Is the PIN needed each time you use SERT? If so, that means I need to provide to every one of my remote technicians. I'm not sure I understand the logic behind this if that is the case.

Brian

Related Entries and Links

No Related Resource entered.