Endpoint Detecting itself
Updated: 02 Mar 2009 | 20 comments
Hi All,
I have several machines that are identifying the symantec 7.5 folder in the documents and settings\all users\application data\symantec\ symantec antivirus corportate edition\7.5\xfer folders . It seems to find several thousand Trojans under the various folders. The only way I can remove these is to stop all the services from starting, reboot and the delete from the command line. Then reboot and let symantec repair itself.
However within minutes it is off showing viruses back on the machine.
This is with the MP1 version of the code. Has anyone experienced issues like this and if so is there a resolution that does not involve rebuilding the machine.
Thanks,
Phil.
discussion Filed Under:
Comments
Im having the same issue with Endpoint 11 on mutliple workstations. It will detect many viruses in the "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer" directory. On one machine it will be listed as Trojan Horse, and as Downloaders on another.
ex: 4963a040.tmp, 4963a07c.tmp, 4963a0cd.tmp, etc. are indicated as being Trojan Horse.
Please let me know if you know as to what this would be related to, since I can not find a source of infection that would indictate a virus aside from Endpoint.
I seem to remember this is fixed in MR4 from reading the release notes....might be an artifact of this same issue.
Temp files left over in the 7.5 folder after scans.
Fix ID: 1405018
Symptom: After a scan, Symantec Endpoint Protection does not clean up all temporary files from the "7.5" folder.
Solution: The heuristic scan engine was incorrectly holding on to the temporary files in the 7.5 folder during the scan. Modified the engine to prevent this issue from occurring.
I'm seeing it on MR4
I don't see it a lot, but I have a machine I'm looking at now and we have MR4
I just started seeing it
We've got about 50% (1,051 computers so far) of our computers detecing a trojan horse in the
"C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer" directory.
We're running MR4MP1
cd c:\Documents and Settings\All Users\Application Data\Symantec
OS: windows server 2003 r2 standard editions SP2
Symantec Endpoint Protection V 11.0.3001.224
Definitions May 26 r4
My manager mentioned symantec may scan that folder before it does a version upgrade to ensure nothing in there is going to infect symantec itself.
Plenty of entries like this in the application event log:
Event Type: Error
Event Source: Symantec AntiVirus
Event Category: None
Event ID: 51
Date: 5/25/2009
Time: 10:55:47 PM
User: N/A
Computer:
Description:
Security Risk Found!Downloader.Swif.C in File: c:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\4a175c57.tmp by: Scheduled scan. Action: Quarantine succeeded. Action Description: The file was quarantined successfully.
Also on MR4
I am running MR4 as well and am seeing this on one computer specifically. Endpoint has found approximatly 600 instances on this computer in the c:/Documents and Settings/All Users/Application Data/Symantec/Symantec Endpoint Protection/xfer/xxxxxxxx.tmp directory. Client is running XP SP3 and Endpoint v.11.0.4000.2295. 16% of all risk events here are this one machine detecting this generic Trojans in this directory, so need some resolution ASAP. Is this truely a virus or is Endpoint jacked up again? Need some feedback Symantec!
Also occurs with SEP MR4 MP4
This is still a problem with our MR4 MP4 clients. For example, during last night scan SEP found 12 "Trojan Horse" or "Downloader." These were all temporary files in c:/Documents and Settings/All Users/Application Data/Symantec/Symantec Endpoint Protection/xfer/.
When is Symantec going to fix this major problem?
Problem still in 11.0.4202
Just had a client report more than 10,000 "Trojan Horse" infections... all pointing to the tmp files in the c:/Documents and Settings/All Users/Application Data/Symantec/Symantec Endpoint Protection/xfer folder. That's not even the worst one, either. We've had several computers completely fill their HDD until the system just stops responding. Come on Symantec... get this fixed already!
We are experiencing this as
We are experiencing this as well. Very irritating, especially if notifications are set up and the person cannot use the computer as it just loops. Running the latest release versions and maintenance packages.
Same issue for me as well: Work around - Exclude the folder
I'm setting up an exclusion for that folder so that we can get our machine running again. Obviously we should not HAVE to do that, but it's important to have a working system as well.
Hopefully you'll find the
Hopefully you'll find the solution here
http://service1.symantec.com/SUPPORT/ent-security....
The fix worked
Thanks for the link, that got me fixed up very quickly
Unit info
Win XP 32bit SEP 11.0.4000.2295
Unit was finding thousands of items in c:/Documents and Settings/All Users/Application Data/Symantec/Symantec Endpoint Protection/xfer/
All with names like 49ee0d13.tmp and all are being detected as the Downloader
note that the issue is not
note that the issue is not fixed in MR5.
I am having the same problem
I am having the same problem in RU5 (newest release).
I have the same issue with RU5
I have the same issue with RU5.
But in my case it is detecting a temp files as downloader in the folder......
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\
Anyone please suggest the solution for this...
Thanks in advance for the solution..!!!!!!!!!!!!!!!!!1
Regards,
Prashant Thumar
Solution
turn off scanning of quarantine when new definitions are loaded to work around this bug. The problem whould not occur again after that.
This setting is redundant in any case.
Delete all the file sthat are building up in the quarantine.
This still an issue in
This still an issue in RU6
Turning off scanning quarantine when new defs arrive does not fix the problem
Manually deleting files on 1000's of systems is not really a valid solution!!
Any chance this can be fixed or am I going to have to create a scan exclusion for c:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\
Z
Hay Zer0, This issue is
Hay Zer0,
This issue is resolved in RU6MP1.
Let us know if that was able to resolve this issue.
Please check the url below:
https://www-secure.symantec.com/connect/forums/large-amounts-temp-files-are-being-created-xfertmp-or-75xfer-folder-and-are-being-detected-th#comment-4386621
Following bug has been fixed in the latest version:
DWHxxxx.tmp files are scanned and re-detected when new definitions arrive or during a scheduled scan
Fix ID: 1925607
Symptom: DWHxxxx.tmp files are scanned and re-detected when new definitions arrive or during a scheduled scan.
Solution: After extracting a quarantined item to a temp file, the file is deleted immediately after it is processed.
(http://www.symantec.com/business/support/index?page=content&id=TECH103087&locale=en_US)
Regards,
Aniket Amdekar
I would just like to point
I would just like to point out that this bug STILL EXISTS in all versions up-to and including 11.0.6. I'm a sys-admin and VERY tired of dealing with this, especially because support has repeatedly claimed that this was "fixed in the next version", which they have been telling me for over a year....
I'm absolutely fed up with SEP, and suggesting my employer switches to Nod32 during our next upgrade...
Would you like to reply?
Login or Register to post your comment.