Endpoint Protection

I use Endpoint Protection on a Windows 7 machine. Autoprotect continues to find and quarantine js.alescurf (in appdata/local/temp), but as soon as it finds one, there are three created. I've used a command window to monitor the subdirectory, and the files just keep popping up.  So autoprotect simply continues to run, quarantining the files; it never stops.  The quarantine folder is huge.

I've run multiple full system scans, and Symantec finds nothing.  I've run MS Malicous Tool Remover, nothing.  I've run MalwareBytes, nothing.  I've run Power Eraser... nothing.

Can anyone give me some hints on the best way to deal with this? 

Its either coming from some webpage or some remote machine.

Make sure you have SEP NTP with IPS enabled and Risk Tracer enabled it will lead you to the source machine.

Hi RHR,

Which version of SEP are you running?  What is that file being detected as, and is it always that same filename?

Do you have IPS and firewall, or just AV alone?

Have you tried running a full system scan in safe mode?  Autoprotect alone is not always enough.

Also: I recommend configuring your client to delete rather than quarantine, if quarantine size is becoming an issue.

Hope this helps!

Mick

JS.Alescurf write up says that

"JS.Alescurf is a detection for malicious code that can be injected in to vulnerable Internet Web pages."

http://www.symantec.com/security_response/writeup.jsp?docid=2012-011213-0902-99

So best to

- Clear your browsers cache
- Memorize all the website you visit and note it when the detection take place.
- Check if your DNS server affected by the DNSchanger malware http://www.dns-ok.gov.au/

Thanks. I'll give that a try.

also check if there is task scheduled around that time?

I use both chrome and firefox.  I've cleared the caches via the browsers, plus I've used CCleaner to clear them as well. The problem seems to pop up after 9pm, even if I have no browsers open; so it doesn't appear to be associated with any web site.  I'll check my DNS server.  Thanks.

ETA: MY DNS server is clean.

Good idea.  Just checked, nothing.

I'm running SEP 11.0.6005.562.  The file name is always something like DWH9C28.tmp in ...\AppData\Local\Temp.   SEP quarantines DWH9C28.tmp and then another file with a similar name pops up immediately.

Network threat protection is enable and configured, and I do use firewalls (one s/w and one h/w).  I ran both SEP and MalwareBytes in safe mode.

Hi RHR,

> DWH9C28.tmp

If all the file names are like that, then this is not a current infection / outbreak.

When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect
Article: TECH102953   |  Created: 2007-01-19   |  Updated: 2012-02-28   | 
Article URL http://www.symantec.com/docs/TECH102953

DWH***.tmp files are detected in the user profile temp directory.
Article: TECH92399   |  Created: 2009-01-16   |  Updated: 2012-02-28   | 
Article URL http://www.symantec.com/docs/TECH92399 
 
 

Yes, this is it!  This makes sense; each time it would run, it took about twice as long, Now the quarantine file is so large, autoprotect eats up all my CPU time.

Thank you!

Later builds improved the way SEP reacts to the situations which cause the DWH detections.  I recommend upgrading now to the SEP 11 RU7 release, and then in a few weeks when RU7 MP2 is available, apply that.  After that there should be either no or very few DWH events.

Cheers once again for using the forum, RHR! &: )

I upgraded to 12.1.1000.157 RU1. After doing so, I was able to delete the files in the quarantine folder (( was unable to do so with my previous version) and the problem has resolved.