Expected behavior on scan with cleaning

[j-gray 35]

Looking for clarification in the following scenario:

Workstation (OS X in this case) is flagged with 5 'Unresolved Threats'.  I perform a 'Scan with cleaning', which is configured for strict cleaning.

The scan(s) complete successfully and show 0 infected and 0 cleaned.

I go back to the workstation, which still shows 5 'Unresolved Threats'. One threat had been deleted and two threats were cleaned by deleting prior to the scan. Two are still flagged as Critical with status 'unable to clean' but this was from their detection 5 days earlier.

So in summary, threats were detected; some were handled and some were not at the time of detection. A full scan after detection did not detect anything. Yet the workstation still shows multiple unresolved threats, several critical.

How do we reconcile this and how do we know whether the client is actually infected or clean?

Thank you.

[Marcos 5,070]

First of all, it's necessary to distinguish between active and unresolved threats. While active threats can be removed only by running an on-demand scan from ERA using the In-depth scan profile, threats must be currently resolved manually.

[j-gray 35]

Thanks for the reply.

So I understand (correct me if I'm wrong), that even if a full in-depth scan with cleaning completes successfully and finds nothing, the threats will still not be resolved and I have to go to each workstation and resolve the threats manually. It seems that if a full scan is performed and the system is found to be clean, then all issues should be resolved automatically.

The question then is, how do I know if a system is actually clean? The workstation shows 'Threat Handled = No' and 'Action Error = unable to clean'. But full scan with strict cleaning finds nothing.

I don't really want to mark an item as resolved when it appears to not be handled.

[Marcos 5,070]

3 hours ago, j-gray said:

So I understand (correct me if I'm wrong), that even if a full in-depth scan with cleaning completes successfully and finds nothing, the threats will still not be resolved and I have to go to each workstation and resolve the threats manually. It seems that if a full scan is performed and the system is found to be clean, then all issues should be resolved automatically.

No. To resolve a threat, select it in the ERA console (all or multiple ones can be selected at once) and click "Mark as resolved". This will be done automatically as of ERA v7. Basically the threats should be cleaned after running an in-depth scan with strict cleaning but on Windows it can happen that a threat may remain active in memory until the next computer restart.