Endpoint Protection

 View Only

  • 1.  Delete failed : Quarantine failed : Access denied.

    Posted Mar 22, 2010 03:42 PM

    I'm having a little trouble understanding what to do about this message.  I have clients occasionally getting infected files in their temporary internet files folder.  The actions we have set for everyting are Delete then Quarantine.  The reports we are getting are that the files were "Left Alone"  For example:

    Risk / Risk Type: Trojan.Pidief / Viral
    Action / Source: Left alone / Auto-Protect scan
    File / Entry: C:\Doccuments and Settings\<username>\Local Settings\Temp\plugtmp-6\plugin-allpdf.php

    There is an associated entry in the Application logs of the system as follows:

    Source: Symantec Antivirus
    Type: Error
    Event ID: 51
    Description:  Security Risk Found!Trojan.Pidief in File: C:\Documents and Settings\mas908\Local Settings\Temp\plugtmp-6\plugin-allpdf.php by: Auto-Protect scan.  Action: Delete failed : Quarantine failed : Access denied.  Action Description: The file was left unchanged.

    As "SYSTEM" has full access to the location of the file, I don't really understand why these things are not being deleted.  Can anyone shed some light on this?


  • 2.  RE: Delete failed : Quarantine failed : Access denied.

    Posted Mar 22, 2010 03:50 PM
    it means no one will be granted to that file, it will be denied so that symantec can stop the virus from spreading

    you set it to log only right ? thats why its denied now 

  • Leave alone (log only): Denies any access to the file, displays a notification, and logs the event. Use this option to take manual control of how the scan handles a virus.

    You can specify an action for the risk in the Risk Log.

    Explanation of Action field values in Symantec Endpoint Protection 11 and Symantec AntiVirus 10.1

    http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/16179a5b53c4d21b8825722c00680866?OpenDocument


  • 3.  RE: Delete failed : Quarantine failed : Access denied.

    Posted Mar 22, 2010 03:55 PM
    Hi Dbv147,

    Certain threats have means of "tricking" Windows into denying Auto-Protecct access to their files.  A full system scan in safe mode can usually resolve them.

    Just judging by the threat name here: make sure that all of your computers are running Adobe Acrobat reader 9.3.1 (the very latest release).  That threat takes advantage of vulnerabilities in earlier versions.  I also recommend that you ensure IDS is running.  Keeping software up to date, using IDS and AV/AS, setting bloodhound heuristic levels to Maximum, performing periodic scheduled scans... those should keep you pretty secure.

    Please the the forum know if this helps!

    Thanks and best regards,

    Mick


  • 4.  RE: Delete failed : Quarantine failed : Access denied.

    Posted Mar 22, 2010 04:18 PM

    This article is not completely accurate.  As stated above, niether of the configured actions was set to "Leave Alone".  They are set to 1: Delete and 2: Quarantine, and both are failing.


  • 5.  RE: Delete failed : Quarantine failed : Access denied.

    Posted Mar 22, 2010 04:23 PM

    I was hoping that this wouldn't be the case.  This happens quite frequently and I certainly don't have the time to run a safemode scan each time it occurs.  Most of the time I can simply delete the file by hand.  I just thought that if I can delete it, certainly SEP should be able to delete it.

    EDIT: It just makes my boss very nervous when a report is sent saying that a trojan was "Left Alone" and he wants to know why we're using SEP if it can't delete a file.


  • 6.  RE: Delete failed : Quarantine failed : Access denied.

    Posted Mar 22, 2010 04:40 PM
    SEP is not able to delete it because it is not able to kill the master process to which this file might be hooked into.

    for example if this hooked to explorer.exe then you will have to manually kill explorer.exe and delete the file.
    Or you can use Unlocker tool to delete this file.

    Starting in safe mode retricts 3rd party apps from loading thus files get deleted easily.


  • 7.  RE: Delete failed : Quarantine failed : Access denied.

    Posted Mar 22, 2010 05:57 PM
    Judging from the type of file (a PHP file, not an executable in and of itself), location (temporary directory), the threat itself (it is looking to exploit an Adobe vulnerability, see link below) and that it was detected by Auto-Protect, my theory is that Auto-Protect actually prevented the file from writing to the drive, therefore it was unable to delete or quarantine it.  Please let me know if you actually see the file noted in the location given.

    http://www.symantec.com/security_response/writeup.jsp?docid=2009-121708-1022-99

    This may help too.

    Title: 'Best Practices for responding to "Left Alone" in the virus or threat history log'
    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2006011308151248

    sandra


  • 8.  RE: Delete failed : Quarantine failed : Access denied.

    Posted Mar 23, 2010 10:36 AM

    The file was there however its size was listed as 0kb and appeared to contain no data.


  • 9.  RE: Delete failed : Quarantine failed : Access denied.

    Posted Jul 08, 2010 10:46 AM
    we've seen two incidents over the past two days in which this pidief.e file has appeared. it was found in one computer in a xfer folder within symantec and on another computer within the temp file of the user. we watched as incident after incident appeared within the xfer folder and shut the computer down after more than 2100 incidents. we seem to have eradicated it out of that folder via the SEM and another malware product and are now running the same on the other computer. the concern is, it said it had quarantined it, but as we sat there, we watched it just multiply within the quarantine xfer folder. we had already removed this once from the same computer and are concerned that SEM is sending it to quarantine, but not fully removing it from the computer. Thoughts.


  • 10.  RE: Delete failed : Quarantine failed : Access denied.

    Posted Jul 08, 2010 11:04 AM
    That is probably not a legitimate outbreak, but SEP re-detecting its own.  Please see the following thread:

    https://www-secure.symantec.com/connect/forums/summary-monitors-0

    Thanks and best regards,

    Mick