Endpoint Protection

What appears to be happening is that every time SEP detects a risk in a file and attempts to quarantine it TrueDelete copies the file before it is deleted and moves it to its temporary directory location.  Symantec then sees that moved file as a new infection and generates another alert for it and then tries to move it to its own quarantine.  Once started it keeps looping in this manner generating hundreds of alerts in an hour.

I tried exempting the temporary directory that TrueDelete creates in %SYSTEM%\temp\etdeltmp but this action will not stop the alerts from coming in on a machine that is already stuck in the TrueDelete/SEP tug-of-war.  To break the chain I have had to stop and disable the Entrust TrueDelete service.

The version of SEP that I'm using is 11.0.4202.75.  The version on the TrueDelete executable (Truedel.exe) and dll (etdres.dll) in question is 7.0.0.249.  This TrueDelete version is compatible with Symantec Antivirus CE 10, but not with SEP 11.  

Does anyone know of a work-around to run SEP 11 and TrueDelete without conflict?


 

 Its not just Entrus TrueDelete the very first rule of Antivirus is " You should not have 2 Antivirus softwares running on the same computer"
even if you 2 antivirus on the same computer " only should be doing the Real time Virus Protection"
otherwise you will have these conflicts as all antivirus have diffrent signatures and antivirus doesn't know that you are using another AV on this system and it will treat it as malicious activity and block or try to supercede the other AV.

Entrust Truedelete is not  an antivirus solution.  It's sole purpose is to wipe files out completely by overwriting them multiple times with random and/or patterned data to prevent someone from undeleting or otherwise recovering them.

 hmm...I guess there would be some option within this utility for such actions. like if the files is being deleted by rtvscan.exe then leave it alone.

You might have to call Entrust support to see what options they have for this issue.

Is it only with SEP you are facing this issue or have you tried with any other AV?

It's just with SEP 11 that I've noticed problems.  It seems to have been designed to work with Symantec AV CE 10 without this same issue.

I'm waiting on a response back from Entrust as well on the issue..   I was just curious to see if anyone else had a solution to the problem.

On a side note, the alerts being generated from my management server are coming in batches every hour, starting from the time the computer was turned on this morning about 5 hours ago.  Each batch of "Risk Outbreak" type alerts has about 14-18 emails with 6-9 instances of detections mentioned in each of them.  At the end of each batch is a Single Risk Detection alert.  The TrueDelete service has been disabled as of three hours ago, yet the alerts keep coming in.  Perhaps there is a queue of alerts on the client that is backed up?

Thanks for your help so far Vikram.