Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Can't Delete Quarantined Files

Created: 24 Aug 2012 • Updated: 24 Aug 2012 | 32 comments

I select all items (1127) and press "Delete":

Waiting ~ 10 minutes !!  And I see the same picture after "deletion":

http://img821.imageshack.us/img821/1850/79448616.png

Comments 32 CommentsJump to latest comment

Ashish-Sharma's picture

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine

 delete it the CONTENTS of this folder ... .

Automatically delete quarantine files

https://www-secure.symantec.com/connect/forums/automatically-delete-quarantine-files

How to Manage Quarantined files

http://www.symantec.com/business/support/index?page=content&id=TECH106443

Thanks In Advance

Ashish Sharma

timotv's picture

>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine

OK. Done

>Automatically delete quarantine files

https://www-secure.symantec.com/connect/forums/automatically-delete-quarantine-files

Automatically deletion doesn't work. It is the same problem. I just forgot to tell about it.

timotv's picture

I made a small test after successfully deletion files from C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine. I got Trojan.ADH from archive. SEP catched it and put to quarantine. I selected the the single item in SEP Quarantine manager and successfully deleted it. What does it mean ?

timotv's picture

I will check tomorrow automatically deletion files from quarantine:

Ashish-Sharma's picture

Ok and will be update for same..

Thanks In Advance

Ashish Sharma

Ashish-Sharma's picture

I think Automatic Delete are not working on sep Client basic policy you can set on SEPM server policy.

How to delete Quarantined items from the Symantec Endpoint Protection Manager.
 
 
How to Manage Quarantined files.
 
 
 
Also Try, Configuring automatic clean-up options:

When the client software scans a suspicious file, it places the file in the local Quarantine folder on the infected computer. The Quarantine clean-up feature automatically deletes the files in the Quarantine when they exceed a specified age. The Quarantine clean-up feature automatically deletes the files in the Quarantine when the directory where they are stored reaches a certain size.

You can configure these options using the Antivirus and Antispyware Policy. You can individually configure the number of days to keep repaired, backup, and quarantined files. You can also set the maximum directory size that is allowed before files are automatically removed from the client computer.

You can use one of the settings, or you can use both together. If you set both types of limits, then all files older than the time you have set are purged first. If the size of the directory still exceeds the size limit that you set, then the oldest files are deleted one by one. The files are deleted until the directory size falls below the limit. By default, these options are not enabled.

To configure automatic clean-up options:

  1. On the Antivirus and Antispyware Policy page, click Quarantine.
  2. On the Cleanup tab, under Repaired files, check or uncheck Enable automatic deleting of repaired files.
  3. In the Delete after box, type a value or click an arrow to select the time interval in days.
  4. Check Delete oldest files to fit directory size limit, and then type in the maximum directory size, in megabytes. The default setting is 50 MB.
  5. Under Backup files, check or uncheck Enable automatic delete of backup files.
  6. In the Delete after box, type or click an arrow to select the time interval in days.
  7. Check Delete oldest files to fit directory size limit, and then type the maximum directory size, in megabytes. The default is 50 MB.
  8. Under Quarantined Files, check or uncheck Enable automatic deleting of quarantined files that could not be repaired.
  9. In the Delete after box, type a value or click an arrow to select the time interval in days.
  10. Check Delete oldest files to fit directory size limit, and then type in the maximum directory size, in megabytes. The default is 50 MB.
  11. If you are finished with the configuration for this policy, click OK.

Thanks In Advance

Ashish Sharma

timotv's picture

>I think Automatic Delete are not working on sep Client basic policy you can set on SEPM server policy.

What does it mean? What are you talking about?

>How to delete Quarantined items from the Symantec Endpoint Protection Manager.

 

The creation date of article is 2008 year. Are you killing? Some of the items from this instruction:

"

2. Click on the Monitors tab on the left pane.

3. Click on the Logs tab at the top of the right pane.

"

- I don't understand what is the speach about.

Ashish-Sharma's picture

Are you using Unmanged client ?

Thanks In Advance

Ashish Sharma

Ashish-Sharma's picture

Kindly change registry setting.........

Handling Quarantine

Sometimes due to infection the size of the quarantine folder grows huge.

It is not accessible via the GUI.So to know where and to change settings for Quarantine for the client

HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine

Important keys

QuarantinePurgeBySizeEnabled set it to 1 –To enable Sizing of quarantine folder then

QuarantinePurgeBySizeDirLimit   Default value is 50 ( Megabytes)  either leave it at 50 or reduce it as much you want.

You can also lower the age of purging Quarantine items from default 30 days to any number of days you want

QuarantinePurgeAgeLimit   30 days by default.

Thanks In Advance

Ashish Sharma

timotv's picture

I don't have this keys:

http://img88.imageshack.us/img88/8660/82114446.png

But I fount them here:

\HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\AV\Quarantine

So what about my problem ? How does QuarantinePurgeBySizeEnabled and  QuarantinePurgeBySizeDirLimit bear on this case? The major key is QuarantinePurgeAgeLimit.

Ashish-Sharma's picture

 I Will check my system Quarantine setting and will update you.

Its seems your system are infected in virus please scan your system and

Is your system infected? Symantec tools to help clear an infection

https://www-secure.symantec.com/connect/forums/your-system-infected-symantec-tools-help-clear-infection

Yes, you could Either Run the Power Eraser utility OR Symantec Endpoint Recovery Tool.

1. The Power Eraser Tool eliminates deeply embedded and difficult to remove threats that traditional virus scanning doesn't always detect.

2. If you have access to Fileconnect, the SERT (Symantec Endpoint Recovery Tool) is useful in situations where computers are too heavily infected for the Symantec Endpoint Protection client installed upon them to clean effectively. The Consumer version of this tool is the Norton Bootable Recovery Tool.  The tool is free, so there is no need for a Fileconnect account to download the software.

Thanks In Advance

Ashish Sharma

timotv's picture

My system is not infected, that is why Im here.

I run Power Eraser utility. No risks found.

timotv's picture

I've just opened the quarantine and I saw that is empty. It is strange because I put virus yestarday 24.08.2012 14:14:24 but now is more than 23 o'clock. So it is passed more then 33 hours !

So it is needed to test one more time.

I put virus to quarantine at 25.08.2012 23:17:26. Will see tomorrow (26.08.2012) ...

Ashish-Sharma's picture

It's sounds good you will test after 30 hours for same.

Thanks In Advance

Ashish Sharma

timotv's picture

Quarantine was cleared after 30 minutes after I set next option to active:

I activated this option at 21:12 27.08.2012. Then 30 minutes was passed and the quarantine was cleared.

Before this moment I had the only one active option:

So SEP has bag.

Ashish-Sharma's picture

Hi,

Thanks for sharing Information,

You can set this setting all of your sep client......

Thanks In Advance

Ashish Sharma

Ashish-Sharma's picture

HI Timotv,

If any my comments provide help .

Please don't forget to mark the thread as solved.

Thanks In Advance

Ashish Sharma

Ashish-Sharma's picture

Hi,

Kindly verify how many file are exit in Quarantine ?

You can select multiple file and delete it's deleteing .

Many file are avaialble in same name so you can uderstand file are not delete in Quarantine folder.

you can select more file and checked it will be delete.

Thanks In Advance

Ashish Sharma

Ashish-Sharma's picture

You have done Automatic settings

Please check 2marrow it's working on not ?

Thanks In Advance

Ashish Sharma

Ashish-Sharma's picture

Do you have configure in SEPM console Automatically delete quarantine files settings ?

As per Mudit SNAP Shot......

https://www-secure.symantec.com/connect/forums/automatically-delete-quarantine-files

Thanks In Advance

Ashish Sharma

timotv's picture

Yes I did. I set to delete after one day:

Mithun Sanghavi's picture

Hello,

What version of SEP 11.x are you running? Incase, you are running any version below SEP 11.0.RU6, then I would recommend you to Migrate to the Latest Version of SEP 11.0.7101 and above.

Check these Threads with same issue - 

https://www-secure.symantec.com/connect/forums/trojangen2

and would suggest you to work on the steps provided below:

If such detections continue after deleting old .tmp files and updating to SEP 11 RU6a, see the following:

Stop the Symantec service

  • Symantec Endpoint Protection

    • Click Start, then Run
    • Type: smc -stop
    • Click OK

Deleting the files

NOTE: The following instructions are to be done from the Command Prompt as attempting to perform the deletions from the Windows user interface may result in delays and application hangs due to the large amount of files that can reside in these locations. Please note that these instructions will delete the files in the targeted directories, not the directories themselves. Do not remove the directories themselves, only the contents of those directories.

Stop the Symantec service

  • Symantec Endpoint Protection

    • Click Start, then Run
    • Type: smc -stop
    • Click OK

Deleting the files

NOTE: The following instructions are to be done from the Command Prompt as attempting to perform the deletions from the Windows user interface may result in delays and application hangs due to the large amount of files that can reside in these locations. Please note that these instructions will delete the files in the targeted directories, not the directories themselves. Do not remove the directories themselves, only the contents of those directories.

Open the Command Prompt

Deleting files from User Temp folder

  • Click Start, then Run
  • Type: cmd
  • Click OK

1. Type the following command in Command Prompt. (The following string will vary depending on the user name.) Replace "<NAMEOFUSER>" with the username of the desired Windows user you wish to empty the temp folder for:

  • For Windows 2000/XP/2003
     DEL /F /Q "C:\Documents and Settings\<NAMEOFUSER>\Local Settings\Temp"
  •  For Windows Vista/7/2008
     DEL /F /Q "C:\Users\<NAMEOFUSER>\AppData\Local\Temp"

2. Deleting the contents of the temp folder at the root of C:\

  • Type the following command in Command Prompt:

    DEL /F /Q C:\temp

3. Deleting the contents of the Windows Temp folder

  • Type the following command in Command Prompt:

    DEL /F /Q C:\WINDOWS\Temp

4. Deleting the contents of the xfer and/or xfer_temp directories

  • Type the following command in Command Prompt:
      • Windows 2000/XP/2003
        DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp\"

        DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\"

      • Windows Vista/7/2008
        DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer_tmp\"

        DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer\"

The Quarantine Folder

NOTE: The following instructions are to be done from the Command Prompt as attempting to open the Quarantine folder in the Windows user interface may result in delays and Windows Explorer application hangs due to the large amount of files that can reside there.

Delete the Quarantine Folder

Type the following commands in the Command Prompt:

  • Windows 2000/XP/2003
    DEL /F /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"

    RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"

  • Windows Vista/7/2008
    DEL /F /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

    RD /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

Recreate the Quarantine Folder

Type the following command in Command Prompt:

  • Windows 2000/XP/2003
    MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
  • Windows Vista/7/2008
    MD "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

Start the Symantec service

  • Click Start, then Run
  • Type: smc -start
  • Click OK

From the SEP-Manager:

- Edit the Antivirus and Antispyware policy of affected clients.
- In the policy editor click "Quarantine" on the left-hand menu.
- On the general tab click "Do nothing" under the heading "When new Virus Definitions Arrive"

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

timotv's picture

>I would recommend you to Migrate to the Latest Version of SEP 11.0.7101 and above.

I read that the problem with DWH*.tmp in Temp folder is valid for any version of SEP :


- http://www.symantec.com/connect/forums/generic-tro...

timotv's picture

I'm not sure it is the same. He could not delete files from directory on HDD (quarantine folder) but I did it successfully as I said before