Endpoint Protection Small Business Edition

Struggling today with SEP SBE 12.1.  Seems XP has indexed some file in a temp folder and SEP keeps grabbing the DWH####.tmp version of it and scanning it, tossing it back in the quarantine.  The file replicates due to indexing and we're in a loop. 

SEP should provide a failsafe/fallback.  If the user has cancelled a scan 3 times, SEP should be commanded to stop.  Stop so that remediation can be invoked.  As it is now, it won't and sooner or later hundreds if not thousands of files are recreated - which have to be scaned again, quarantined again and so it continues.

On phone with tech support.  We are unable to clear the temp file because we can't find it.  Having the scan continue on and on bogs down the machine making remediation 10-20 times more difficult.

That's it.  Give the user a shot, Symantec people otherwise we're going to continue to spend hours with your fine staff on the phone.

H

Hello,

This issue seems to be resolved as I haven't come across any of such cases with Symantec Endpoint Protection 12.1 detecting DWH###.TMP files

Was this SEP 12.1 clients upgraded from SEP 11??

http://www.symantec.com/docs/HOWTO55365

The Above Article, speaks on how to clear disk space before upgrading the SEP 11 to SEP 12.1.

The Actual cause was with SEP 11 where the files were created by the Symantec Endpoint Protection or Symantec AntiVirus Quarantine scan. This scan is normally initiated by a virus definition update.

The quarantine scan on virus definition update can be disabled: edit Antivirus and Antispyware policy > Windows Settings > Quarantine > General, under "When New Virus Definitions Arrive" choose "Do nothing".

Check this same problem Thread

https://www-secure.symantec.com/connect/forums/sep-121-and-dwhtmp-files-0

Hi thank you for the response.

This is an initial install starting with 12.1  This is an unmanaged client so the HOWTO link is tp the SEPM, not my case.

I will have to check the  GUI - I'm not sure there is the same interface on the unmanaged client.

There still should be a way to disable/suppress this scanning.

H

hi,

Check this thread

http://www.symantec.com/connect/forums/generic-trojan-dwhtmp-temp-folder?page=1

http://www.symantec.com/connect/forums/dwhxxxxtmp-trojan-horse-cant-resolve

if it is about dwh files. then may be you can test the beta for SEP 12.1 ru 2.

This is a production environment.  I'm leery of beta software when money is on the line. 

We've laucnhed the SERT.  We're letting it scan and clean just to be sure there isn't REALLY a bad guy at work.

I do wonder where/if anyone finds the same "Don't scan quarantine when LiveUpdate runs" setting in the unmanaged SP client 12.1...

H

Hi.

I think this feature are not avaliable in Unmanaged Client.

If you want to more information toy can raise support ticket.

http://www.symantec.com/support/assistance_care.jsp

Ashish - I already have a ticket open.   We worked on this for a good 3 hours the other evening.  Finally, the rep and I were both tired of dealing with this.  He thought there might be a bad guy roaming around inside so we executed the SERT scan the next morning.  I will be able to check the system tomorrow as it is the weekend and the business is closed.  I do see from the very long thread that this has indeed been a problem for Symantec users since way back.  My main purpose of posting here was to generate some interest by the engineers to perhaps put in a "break point" - to stop the continuous scan which in my case brings the machine to its knees and makes it unusable.  Users are not going to be comfortable typing in terse commands (smc -stop and so forth).

There are some procedures contained in your refs that other folks tried and that we have already tried.  Too bad they didn't see fit to include the "don't scan the quarantine after a definition update" in the unmanaged client version of this.

To me, clearly this calls for a more permanent fix.  I wish I had one at this point...

H

OK, folks - here's what worked on my problem.  You have to get rid of every .tmp file not only from the file system but the quarantine(s).  Yes, that's plural.  Read on...

First off, the SERT scan truned up zero infections.  So put that aside.

Now, there is a folder (on my unmanaged client system) at:  C:\Doc&Sett\AllUsers\AppData\Sym\SEP\12.1.1101.401.105\SRTSP\Quarantine.  This folder is different than the folder we were focusing on and cleaning out earlier at:  C:\Doc&Sett\AllUsers\AppData\Sym\SEP\12.1.1101.401.105\Data\Quarantine.  Searching in Windows Explorer did not reveal the first folder above nor any of its contents.  It only showed us the second folder and thus we only cleaned out the second folder above.  How'd I get to that first folder? 

I got lucky and guessed there were more files hidden.  Yes, I had already exposed all files in normal Windows.  But, I loaded up a copy of a LiveCD which contains a stripped down (PE) version of XP.  XP runs from this CD and a small RAM-drive.  In XP_PE, execute the search again for *.tmp.  Wowweee.  BAM!  There were throusands and thousands of .tmp files in the first folder.  They were so numerous, I could not select them all nor could I delete the "quarantine folder" itself because of lack of operating space the mini-copy of XP provides.  So, I deleted them 2K-3K messages at a time.  That's right, 2-3 thousand files at a time.  This took about 20 minutes to complete expunging 2gB+ of files.

OK, remove CD, shut down, reboot from HDD for a normal Windows load.  Desktop, launch smc -start, the GUI arrives and -bingo- no scanning!  I just checked it and it's running beautifully.

Look for this folder people.  Make sure you know it exists and how to get at it to treat it.

Herbo