Endpoint - 11.4000.2295 - XFER Tmp File Issue

Hutch's picture
Hutch
April 1st, 2009

We just completed a 500 PC upgrade from Endpoint MR2 to MR4 to correct some server issues.  The server is now running properly (had a database problem).

We are now seeing a new problem on some of our PC's.  Basically, they start generating Quarantine messages RE: a file with a .TMP extension.  It seems that these .TMP files then multiple...i.e on a PC that I fixed this morning, it started with 9 items in Quarantine...after 2 hours, it had over 800.

From looking at older versions of Symantec, these .TMP files seem to be generated by the Symantec program itself, and are therefore false positives.

I have had 3 PC's in the past week start to do this.  The only fix I have found is to uninstall the program, delete the client from SEPM, and then re-install.

I would really like to know:

  • Why this is happening??
  • Is Symantec aware of the issue??
  • More importantly, what is the fix (other then reinstalling)??

We had been advised to go from MR2 to MR4 to improve the stabiliy of the server...which it has....but now I seem to have unstable clients.


All client machines are Windows XP with SP2.  They are fully patched (Windows Update). 

Filed under: , , , ,
0 votes
Weisman's picture
Weisman
44 weeks 6 days ago

Same Issue

I have also noticed one MR4 client exhibit the .tmp file detection in the /xfer directory. It occured after a detection of Trojan.Adclicker. It appears the files were generated during a Full Scan.

0 votes
Hutch's picture
Hutch
44 weeks 5 days ago

Continuing to occur

I have also noticed one MR4 client exhibit the .tmp file detection in the /xfer directory. It occured after a detection of Trojan.Adclicker. It appears the files were generated during a Full Scan.

Ok...I am seeing another PC doing this (this is the 5th one).  I may need to open a call with Symantec Support. 

I am seeing the same Trojan you mentioned, which seems to appear when the Weekly Scan is run.  It then generates the same file over and over again, alternating between a "Downloader" risk, and a "Trojan" risk. 

Anyone from Symantec seen this issue??

0 votes
Weisman's picture
Weisman
43 weeks 1 day ago

Another issue

I have another client with the same problem now. Both were detections of the Trojan.Adclicker (the only two). I have them both at MR4 SP1. I'd hate to have to call in on this one. I'm going to try and reinstall to see what happens.

-Wayne

0 votes
rrittenhouse's picture
rrittenhouse
43 weeks 15 hours ago

Same here

I'm having the same issues in the same exact way as everyone else. I am running MR4 and the affected clients are running Windows XP Pro.

Please Symantec, shine some light on this or i'm just going to call support to get the answer.

+1 (1 vote)
Jeff K.'s picture
Jeff K.
42 weeks 1 day ago

Hello

Symantec?  Any information on this?  I have a XP computer (SEP 11 MR4) that has had SEP delete over 5000 .tmp files from the xfer folder in the last few days.

0 votes
Weisman's picture
Weisman
42 weeks 1 day ago

Still having the issue, it

Still having the issue, it seems to be only affecting clients that were infected previously.

0 votes
Rick Bywalski's picture
Rick Bywalski
42 weeks 1 day ago

Seeing this issue too

I have seen this issue too.  One thought I just had was adding and exclusion for the xfer folder.   My understanding it that symantic is mistaking the def updates for a virusand excluding the folder might work around th issue.

0 votes
anjansarkar83's picture
anjansarkar83
42 weeks 13 hours ago

I have also facing the issue,

I have also facing the issue, please help somebody...

0 votes
Ajitjha's picture
Ajitjha
42 weeks 13 hours ago

As pewr my analysis it is

As pewr my analysis it is activity of Trojan.Adclicker . You can configure the quarntine files to be delete after 57 days or simply delete those files.

Not much idea apart from it. Please share if someone has the centralised solution for it.

Regards'
Ajit Jha
TechSuport Engineer
STS

0 votes
Hutch's picture
Hutch
41 weeks 6 days ago

Solution

This only option I found that worked, was removing Symantec Endpoint from the client PC.  Upon reboot, navigate to Documents & Settings, All Users, Application Data, Symantec, and delete the Symantec Endpoint Folder.

Restart the PC, and then re-install Endpoint.

It is the Trojan.Adclick that causes the issues.  It also appears to be a problem if the client PC was upgraded from an older version, which was the case for all the machines have the issue at my location.

I had 6 PC's in total that I had to this on, but since it occured, have not had one since.  I am guessing that Symantec did something with a later Virus Def file, to correct the problem??

Other then that, no idea on why it happened, or why it suddenly stopped...just that it did.  However, for PC's that were already generating these false positives, the only solution was as mentioned above.

0 votes
binayak's picture
binayak
41 weeks 6 days ago

Hi Ajitjha, I agee with your

Hi Ajitjha, I agee with your openion. It is the Adclick trojan that causing the problem. However, thanks Hutch for the solution. It would help a lot.

0 votes
Katyan1's picture
Katyan1
19 weeks 8 hours ago

We had the same problem. See

We had the same problem. See this link
http://service1.symantec.com/SUPPORT/ent-security....

0 votes