Out of the Frying Pan and Into the Fire -- Accumulation of .tmp Files in the DefWatch.DWH Directory
On Friday, I posted a query relating to the accumulation of .tmp files within the xfer directory and the identification of these files as being infected by the JS.Alescurf malicious code:
Several responded to my post identifying articles about similar problems with the suggestion that I should upgrade my version of EP to ver 12.1, etc.
I read the references and followed the suggestions, susequently posting some updates about my progress. I upgraded to ver. 12.1. I downloaded all updates to definitions and ran a complete scan of the C: drive, which identified a single file in the DefWatch.DWH directory as being infected. This much, I related in a follow up post.
Sunday morning, things went from bad to worse. When I restarted my Dell laptop from hibernation, I began to get new reports of infection by the JS.Alescurf malicious code within this directory:
I have some meticulous notes about my experiences over the past 30 hours which are only abstracted in this post. I will post some additional details in a follow up.
The most important thing to relate is that there seems to persist some problem with accumulation of .tmp files which are detected as being infected, albeit in a new directory.
Overall, I have come to the tentative conclusion that the files are NOT, in fact, infected but rather are being falsely REPORTED as being infected due to some unresolved BUG in the Symanantec software.
Amongst the bizarre behavior I experienced was EP continuing to report that it was finding and Quarantining files purported to be from this directory even AFTER all of the files were completely DELETED from this directory and there were NO FILES remaining in this directory at all.
In fact, I believe that the bug involves some sort of circular problem with RP identifying a file as infected, reporting such file as "Pending Analysis" or Quarantined and then rediscovering the very same file within its Quarantine and reporting it again. Alternatively, or possibly in combination with this, EP seems to be detecting its own downloaded Virus definition files as being infected.
One reason to suspect the latter is that I began receiving a new set of messages regarding possible infections Sunday night at about 10:45 right after LiveUpdate downloaded and installed new virus definitions.
I am NOT talking about just a few files. My system, which was reported to be free of malicious code on Saturday after installation of the newer version of EP had identified for remediation almost 3,100 files ALL in the DefWatch.DWH directory by 3:49 AM this morning but it wasn't through yet.
To assure that I wasn't receiving any newly infected files (or EP Virus Definition files) while I continued to troubleshoot and remediate this problem, I disconnected from the Internet by physically disabling the WIFI on my system. Even so, NEW files continued to appear within the DefWatch.DWH directory faster than the computer was able to Quarantine these files.
For this reason, finally at about 3:50 AM, I went into the Command window, maneuvered to the DefWatch.DWH directory and manually DELETED ALL the .tmp and .js files (one) in that directory. Even so, EP continued to both identify and assert that it was Quarantining .tmp files from this directory even though both a Dir command from the Command window or viewing this directory using Explorer showed that there were no remaining files there.
By about 10:15 this morning, I had received a total of 3,532 file notifications from EP ALL asserting that it was Quarantining files (or marking them "Pending Analysis") since Sunday morning. EP continued to report and Quarantine about 1 new infection per minute for more than six hours after ALL of the files in this directory had been deleted.
Finally, I simply re-started the machine. When it came back up, I was presented with an EP alert window, but NO FILES were identified as infected.
I ran an Active Scan of the computer. NO FILES were identified in this abbreviated scan.
Then I logged off completely and logged back on under an Administrator account and ran another Active Scan under that administrator account with similar results. Next, I ran a scan of the ProgramData directory, which was also detected no infections.
Thereafter, I reconnected to the Internet and ran LiveUpdate to obtain the latest AntiVirus definitions. Now that the definitions have been updated, I am AGAIN running a scan of the ProgramData directory.
Thus far, this scan has detected ONLY two tracking cookies.
Interestingly, while this scan continues to run, the DefWatch.DWH directory, which was EMPTY initially, is showing the successive appearance of a single .tmp file, apparently as each new file is scanned. But when running properly, it appears that these files make a momentary appearance and then are deleted with only a single file in the directory at a time. It would appear that as EP was running, it was detecting these very temporary files and reporting them to be infected.
I have already spent far more time than I could afford troubleshooting what appears to be an obscure bug in the Endpoint Protection program. I have several theories about the circumstances that might cause this problem to present. I will post some additional comments later after I catch up on my work.
I would encourage those familiar with the inner workings of EP to carefully read and assess what I have posted above. I would actually be interested to see whether someone else perceives the likely circumstances that would present this bizarre problem.
Even though the problem does NOT appear to occur often, I believe that there IS A BUG in EP that requires remediation. I am reasonably confident that the problem is replicable and thus it CAN and WILL occur to other customers.