Over 1500 .tmp files are in the "XFR"
Updated: 21 May 2010 | 13 comments
This issue has been solved. See solution.
c:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer....
I cleaned up the workstation, but these results continue to generate. What am I missing here??? Full scan has been run...
Packed.Generic.217 is the infected file...
Comments
The "tmp files do not delete
I tried, and they don't want to go anywhere.
Since I wrote this, 227 MORE have generated bringing the total to 1776
I see this on occasional
I see this on occasional systems as well, but they're usually the student-owned systems that report to our server, so I haven't dealt much with them. I seem to recall some bug that was supposedly fixed. I'll do some searching and report back.
Eric C. Lukens IT Security Policy and Risk Assessment Analyst University of Northern Iowa
Disable System Restore
1.) disable "System Restore"
2.) Restart the computer in Safe Mode
3.) Stop SEP services
"Symantec Endpoint Protection"
"Symantec Management client" with command START -> RUN -> smc -stop
4.) Delete the folder "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer\"
(in newer installations: "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\")
5.) Delete all files .tmp in folder "c:\windows\temp\"
6.) Restart SEP services (same as point 3 , except "smc -start")
7.) Run a full-scan
8.) Restart the computer in normal mode and if no new alerts of malware/virus detection are shown, enable "System Restore" as from step "1"
Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)
This post covered one
This post covered one person's solution that seemed to work, it seems to be similar to a knowledge base article, http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009042217073548.
Looking at my logs, I'm thinking certain malware detections have to be involved for this to happen, as most of the users I have with the problem have a small subset of malware being detected. Also, the users I have with the problem are running on RU5, so this problem has existed in multiple versions.
Eric C. Lukens IT Security Policy and Risk Assessment Analyst University of Northern Iowa
This is exactly the issue, and I am using RU5...
There are no other machines aside from my SAV clients that use anything but RU5...I did scan with MWB and cleaned house. I also needed to remove the installation of SEP via cleanwipe, because no matter what I did, the "tmp" files did not want to budge and the content is SRTSP also did not want to play along.
We are currently having this
We are currently having this problem too and have a case open with Symantec on this. Apparently, these temp files get created in the quarantine directly, and the SEP detects them as viruses again, and again, and again. As a work around, we have had to exclude this directory from scanning and limit the size of it so it doesn't fill up the hard drive. This should only happen on machines where a virus was found and files quarantined. If you clear the quarantined files and delete the temp files, the problem should go away ... until it happens again.
In events like this...
...I like to run Malware Bytes...I am a remote admin, and can not do a safe mode scan. The next best thing for me is running Malwarebytes, which always does a great job, and so far, it has picked up...7 infected objects. I am not sure if this is a SEP issue, as opposed to an issue that is infecting the system. I am just a little bugged by the fact that I have to use something else on top of SEP to get through these types of issues.
I suppose it could be malware
I suppose it could be malware that is attempting to circumvent SEP but then ends up causing a loop.
Eric C. Lukens IT Security Policy and Risk Assessment Analyst University of Northern Iowa
It was the Vundoo or Vundo...
Malwarebytes picked up and cleaned 20 infected files. I will check the logs tomorrow to see how many files continue to be generated. I notice when a machine generates that many temp files, that if I run Spy-Bot S & D or Malware Bytes, it does a really good job of cleaning it up...AdamK, I would advise that you run Spy-Bot S & D and or Malwarebytes, those programs are life savers for me...
Files were also in the SRTSP\Quarantine folder
These would ALSO not let me delete the content. I cleaned up the Vundoo and removed SEP and will re install it.
Upgrade to RU5 and see any
Upgrade to RU5 and see any difference is present.
Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind
One of the problems with the new format
Is it lets you select the version you are using but NOT the release that you use. All of my SEP clients are already at RU5...
Ran Malwarebytes again...
Then found a lot of traces of the old SAV folders and some SEP folder even after cleanwipe was run. I searched for all of hese folders and manually deleted them, restarted and re installed SEP.
Would you like to reply?
Login or Register to post your comment.