Endpoint Protection Detection of .tmp Files within Symantec Endpoint Protection > xfer Directory as Infected by JS.Alescurf
I have a Dell Studio running Windows 7 64-bit with an older version of Symantect Endpoint Protection (ver. 11.0.5002.333).
Starting about ten days ago, I found as a consequence of a manual scan a reported infection of a number of files which were reported by Symantec Endpoint Protection as being infected by the JS.Alescurf malicious code. The files had names generally of a naming convention "51xxxxxx.tmp" and were located within the directory:
ProgramData > Symantec > Symantec Endpoint Protection > xfer
I usually operate the computer from a lower privileged account. Running the scan in the regular privileged account identified the purported infection, but left the files unchanged.
So I logged onto a privileged account and ran the scan as an Administrator. Endpoint Protection then identified and Quarantined about fifty files that it represented were infected by JS.Alescurf malicious code, all in the xfer directory. (This was last week.)
I have since had several recurrences of the reported infection when I either scan the aforesaid directory OR open that directory and seek to check the properties of one or more of these files.
The appearance of the files in a xfer directory seemed to present either the possibility that Endpoint Protection was detecting its own Antivirus definition files OR that somehow infected files were being presented by an unknown vector within a directory that might somehow infect Endpoint Protection itself, which is particularly concerning.
Last night, I noticed that there was a new accumulation of upwards of 1,000 .tmp files in the xfer directory. I manually ran LiveUpdate from the UNPRIVILEGED account about 3 AM and thereafter noticed that about 270 new files appeared within the xfer directory, suggesting that this was a transfer area for new definitions, etc. The most recent files have names of the form "51babxxx.tmp".
The xfer file now shows 1,607 items, all with dates within the past week. It was completely CLEAR last week after I ran a complete scan of ProgramData.
I ran a new session of LiveUpdate this morning from an Administrator account, which seemed to download some new updates, but no new files seem to appear within xfer. I am in the process of running a new scan now.
I am wondering if anyone has any insight as to whether the xfer directory is a typical vector for exploit by JS.Alescurf or whether there is reason to expect or believe that Endpoint Protection is giving a false positive in respect of files properly transferred to the xfer directory, possibly through the LiveUpdate process. Also, is there a reason files accumulate within this directory? What is the regular process by which files in xfer are deleted if these, in fact, are associated with installation of new AntiVirus Definitions.
Any other suggestions or recommendations for troubleshooting or remediation of a JS.Alescurf infection are appreciated. Endpoint Protection is reporting the successful Quarantine of these files when I run the scan in Administrator mode. Is there anything else I should be doing in respect of a possible JS.Alescurf infection?