Endpoint Protection

Looking at the logs (Monitors>Logs>Risk), I see where Auto-Protect scans and Definition Download scans are noting:  Virus Found (Left Alone).

In all of my scanning options, none are configured for Leave Alone.

How do I change the Leave Alone option in the Auto-Protect and Definition Download scans so that they either Delete or Quarantine the viruses found?

Thanks.
 

Explanation of Action field values in Symantec Endpoint Protection 11 and Symantec AntiVirus 10.1

 http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2006112010562148

Update virus defs and run a full scan in safe mode.

Thanks Vikram, but I've already seen the description in the manual.

What I want to know is how to change the parameters of the scans...doesn't do me any good if it just leaves it alone.

I have 8000 workstations...not really an option to run a scan in safe mode when I'm getting hundreds of "left alone" messages.

I understand.
However if these messages are on 100-200 machines that will mean it is a outbreak.

Left alone is something that cannot be configured. However it is something when Antivirus was not able to take any action against it. Due to permission ( file being on remote machine or on flash disk or in a diffrent users profile, threat installed as server or hooked into winlogon etc etc etc. )
What you can do is make sure these clients have latest virus definitions and then you can initiate a full scan from the sepm server on these clients.
If that takes care of it fine. if not then you should visit that machine to clean it and patch it latest windows security patches.

Quoted from the manual referenced above:

Symantec Endpoint Protection detected a risk but did not take action. This can occur if the first configured action is Leave alone or if the second configured action was Leave alone and the first configured action was not successful.

What is the meaning of "configured action"?  This alludes to the theory that the actions can indeed be configrured.

To take this one step further, if I select a Startup Scan and give users access to modify the scan and  then I look at the client on the workstation, I can set the scanning actions....but, if I don't let users modify the scan (it then cannot be seen on the client) how would I set the scanning actions? 

It appears that this capability has been omitted from the console.

 The actions are mainly for FIle System Auto-Protect and Scheduled for types of threat.
However Left Alone is not the default action set for Tojans and Worms.
Its specified only for security risk that too when Quarantine fails.

You can set the action in SEPM AV policy for auto-protect and Scheduled scan.

OK, I think I get it...the manual is incorrect.  It states that for the "Left alone" log message, either the 1st configured action is "leave alone" or the 2nd configured action is "leave alone", yet neither action can be configured (for a new definition scan, for example)....and even if the actions are configured (as in a scheduled scan) the log message "Left alone" means that the scanner could not clean, delete, or quarantine the infection -NOT- that it defaulted to the configured action "Leave alone (log only)".

Thanks for helping me beat my head against the wall.