Action Selection Postponed on detected threats

[j-gray 31]

I've run in-depth scan and clean jobs on a number of systems and some come back with Active Threats. These all appear to be HTML related threats (ScrInject, Iframe, etc.) that are within a user's browser cache folder.

 

Each system shows a scan status of "Action selection postponed until scan completion", and 'Threat handled = no' for each detected threat.  Reports show that the scans have completed.

 

From what I can tell, cleaning/removal is postponed until completion, the scan completes, yet no cleaning occurs and threat(s) remain active.

 

I can manually delete this items with no issues, however, I would prefer that ESET handles them.

 

Can anyone explain exactly what's happening and why the items aren't cleaned? It's not like they're executables or dll's that are in use or in memory and I'm certain the user with the infection is not logged on at the time of the scan.

 

Thank you.

 

 

[j-gray 31]

Looking at one specific example, one scan reported the same threat (HTML/Iframe.B.Gen) on the same .htm file in the same location a total of eight times. So it reports 8 active threats even though it's the same file.

 

And I can't figure out why ESET is unable to delete or quarantine a basic .htm file.

 

We're seeing this behavior on most of our systems that have Active Threats detected.

 

Any help is appreciated.

[Marcos 4,713]

Please schedule a new on-demand scan task and make sure that:

1, In-depth scan profile is selected

2, Strict cleaning mode is used

 

The thing is that cleaning of potentially unwanted and unsafe applications as well as uncleanable virus detections (e.g. iframe, ScrInject, etc.) requires action selection before cleaning (which is obviously a problem when a scan is run from ERA). With strict cleaning mode everything will be cleaned automatically.

We plan to make a change so that strict cleaning mode is used when you select "Scan with cleaning" from the menu.

[bbraunstein 27]

We plan to make a change so that strict cleaning mode is used when you select "Scan with cleaning" from the menu.

 

I gotta tell you, this makes me really happy to hear. The only way this can be implemented properly if the ERAS pulls the logs like it did in previous versions. That way we can review which files were deleted and what threats are floating around on our networks. Also, it gives file accountability so that Susan in HR can't blame ESET for deleting a file when she just simply forgot to save the damn file.

[j-gray 31]

So, if I create a new task with 'In-Depth Scan' and 'Scan with Cleaning', it will still not remove these items?

 

Otherwise, in the New Client Task window, I do not have the option for 'Strict Cleaning'.

Edited October 22, 2015 by j-gray

[Marcos 4,713]

Perhaps the easiest solution would be to:

1, create a policy that will set strict cleaning mode for the In-depth scan profile

2, wait until the policy is applied (agents connect to ERAS in 20-minute intervals by default, however, you can send a wake-up call so that they connect asap)

3, run "Scan with cleaning" from the context menu shown after clicking a group or a particular computer (it fires off a scan using in-depth scan profile settings).

 

 

As I wrote, we'll try to find a way how to make complete cleaning more straightforward so that you don't have to set strict cleaning mode first.