Video Screencast Help
Search Video Help Close Back
to help
New in the Rewards Catalog: Vouchers for "Symantec Technical Specialist" and "Symantec Certified Specialist" exams.

False Positives, CRITICAL: NETWORK VIRUS DETECTED

Updated: 18 Sep 2010 | 4 comments
nfcadmin's picture
nfcadmin
0 0 Votes
Login to vote

I have been getting many emails from the SEP server with the subject  "CRITICAL: NETWORK VIRUS DETECTED".  It always shows that a "Trojan Horse - Viral" is the Risk Type.  The problem is that these warnings are all false positives - SEP is detecting its own virus definition update files as a risk!  Look at the following folders/files: 

c:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\
c:\Documents and Settings\johnsmith\Local Settings\Temp\DWH6FDC.tmp

Those are from 2 of the supposed "Trojan Horse" warnings.  If I add these folder locations into a Centralized Exception Policy so that they aren't scanned, then the warnings stop.  Why should I have to exclude SEP's own folders from being scanned, and why is this happening in the first place?

discussion Filed Under:
,

Comments

Rafeeq's picture
03
Mar
2010
2 Votes +2
Login to vote
Rafeeq

hi

follow this document

Large amounts of temp files are being created in the xfer_tmp or 7.5/xfer folder and are being detected as threats.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009042217073548
 

Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq

Mobiustrip's picture
15
Mar
2010
0 Votes 0
Login to vote
Mobiustrip

Same issue here...

... the article above does NOT explain or solve the issue, it is only a temporary fix.   Why would SEP detect malware in it's own xfer folder if indeed that's what it's doing?  I had a machine with 250,000 tmp files in the xfer folder! 

Mick2009's picture
16
Mar
2010
0 Votes 0
Login to vote
Mick2009
Symantec Employee

Will Be Fixed in a Future Release of SEP 11

Hi Nfcadmin and Mobiustrip,

In certain rare conditions this behavior can occur.  Symantec engineers are investigating and code changes are forthcoming that will prevent this from happening. 

In the meantime, make sure that your SEPM and SEP clients are runnign the current release (RU5) and please do try the steps recommended by Rafeeq above. 

Thanks and best regards,

Mick

With thanks and best regards,

Mick

Mobiustrip's picture
16
Mar
2010
0 Votes 0
Login to vote
Mobiustrip

Conditions are becoming less rare...

I now have 5 workstations exhibiting this same behavior.  

I will update to the new release and thanks for your quick, but admittedly vague, response Mick.

I have copied Nfcadmin's example and created a centralized exception to the xfer folder.  Now I shall go about the ugly task of deleting the quarter million .tmp files in the all users xfer folder.

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
258,898