Endpoint Protection

 View Only

  • 1.  Increase in Qurantine files

    Posted May 04, 2012 02:25 AM

    Hi,

    when we checked our ris summary we found that in past 3 weeks the quarantined files are showing in high nos llike 1000+

    What may be possible reason? Is there any major virus break down in network.

    How to find if there any virus spread in network



  • 2.  RE: Increase in Qurantine files

    Broadcom Employee
    Posted May 04, 2012 02:33 AM

    you can check the risk log on SEPM and identify the threat that has been detected.

    Best practices for troubleshooting viruses on a network
    http://www.symantec.com/business/support/index?page=content&id=TECH122466
    http://www.symantec.com/business/theme.jsp?themeid=stopping_malware&depthpath=0
     



  • 3.  RE: Increase in Qurantine files

    Posted May 04, 2012 03:06 AM

    Post some screenshot of the quarantine folder. 

    It could be the trojan DWH*.tmp files. Not an actual trojan. Check the SEP version of the server and the clients and post it here.



  • 4.  RE: Increase in Qurantine files

    Trusted Advisor
    Posted May 07, 2012 09:11 AM

    Hello,

    Would it be possible for you to export the Risk Logs and upload it to us?

    That would provide us the inside of the issue.

    As per the description the symptoms looks like as suggested by "mon_raralio" above.

    Again, what version of SEP 12.1 are you carrying?

    If these files are DWH*.tmp files, then check this Article:

    When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect

    http://www.symantec.com/docs/TECH102953

    Make sure you are carrying the Latest Version of SEP 11.x / SEP 12.1 on your machine, What are the Symantec Endpoint Protection (SEP) versions released officially?

    The quarantine scan on virus definition update can be disabled: Edit Antivirus and Antispyware policy > Windows Settings > Quarantine > General, under "When New Virus Definitions Arrive" choose "Do nothing".

    Hope that helps!!

     



  • 5.  RE: Increase in Qurantine files

    Posted May 08, 2012 12:40 AM

    Hi,

    We are using SEP 12.1 RU1, i will update the risk logs here



  • 6.  RE: Increase in Qurantine files

    Posted May 08, 2012 01:00 AM
      |   view attached

    Please find the risk logs



  • 7.  RE: Increase in Qurantine files

    Broadcom Employee
    Posted May 08, 2012 02:22 AM

    those tmp files are detected as downadup, check this link to

    Simple steps to protect yourself from the Conficker WormArticle:

    http://www.symantec.com/docs/TECH93179 
     



  • 8.  RE: Increase in Qurantine files

    Trusted Advisor
    Posted May 08, 2012 03:12 PM

    Hello,

    As per the Logs, we found that you are carrying infections of W32.Downadup.B and W32.Sality.AE

    I have attached the List of the Source machines, please check those machines as they seem to be the source of all Threats.

    Check the Threads and Articles provided below for Troubleshooting along with Plan of Action to deal with the issue:

    https://www-secure.symantec.com/connect/forums/w32downadupb-5

    https://www-secure.symantec.com/connect/forums/getting-exe-error-win32-sality

    Hope that helps!!

    Attachment(s)

    xls
    Source machines.xls   182 KB 1 version
    xlsx
    Source machines.xlsx   51 KB 1 version