I am trying to figure out from the logs I am seeing/getting where I see "Actual action: Left alone,Requested action: Cleaned,Secondary action: Deleted" if it actaully didn't do anything.  Currently all I have are the logs and no access into the management server or workstation.  

Can someone confirm for me what actually was done?  Does "Actual action" really mean that it left it alone? 

Yes, actual action means it was left alone. A risk was detected but SEP did not take action.

Was type of file was this? encrypted zip/rar file? Or perhaps the file is hooked into another system process which SEP cannot kill.

Try scanning it in safemode.

They are different types of ffiles.  I have seen exe files, dll's, etc.  I could understand the dll being hooked into another system process and not being able to be removed, but not a file such as "postcard.exe" which looks like it was downloaded from an email.

Thanks for your feedback.

Is postcard.exe the parent or child process? If you try to delete manually does it work or does it tell you it cannot be deleted? You can try in safemode but for some reason SEP cannot get it. You may have to do some manual removal.

http://www.symantec.com/docs/TECH101661

You can also run the load point analysis from the symhelp tool as well the symantec power eraser

http://www.symantec.com/docs/TECH170735

does scanning in safe mode results in same action?

follow this document

Best Practices for responding to "Left Alone" in the virus or threat history log

please follow below url for you concern:

http://www.symantec.com/docs/TECH100975

Hi meathead1976,

Good advice, above....

There are a number of reasons why SEP cannot perform its configured action on some processes or files.  Definitely isolate that computer and scan it in safe mode with the very latest definitions.  This usually is successful against threats that have ways of tricking Windows into defending them.

Other times when the action is "left alone" it is because the local SEP client is trying to delete a file on a remote computer and does not have the necessary permissions.  Locate the file server, etc and ensure a full scan is performed on that. 

Hope this helps!

Mick

Also check your reports and logs for duplicate entries as sometimes the first log will have cleaned/deleted/quarentined the risk then when the duplicate entry tries to take action there is no file for it to take action against so it logs the actions as left alone.

Do you need more assistance with your problem or were you able to get it resolved?

If you could post an update for followers of this thread that would be most helpful.

Otherwise, if resolved, you can close the thread out by clicking the "Mark as solution" link at the bottom left on the most helpful post. If multiple posts helped to solve your problem, please click the "Request split solution" link at the bottom left, select the most helpful posts and click the "Submit" button. This will benefit admins looking for a resolution to the same problem.

Thanks and take care,
Brian