Endpoint Protection

 View Only

  • 1.  QSP Files????

    Posted Mar 22, 2010 05:47 AM

    Hi people,

    I am running SEP ver 11.0.4000.2295.
    In the main manager page (Home) I seem to be getting a number of infected files with a .qsp extension.

    I have run SEP in safe and normal mode. I have run Malwarebytes, Hitman Pro and Trend Micro online scan and found nothing.

    But every now and then SEP flags up this odd .qsp file and quarantines it!!!!

    Any ideas?

    For example:

    C:/WINDOWS/Temp/4ba21b55.qsp



  • 2.  RE: QSP Files????

    Posted Mar 22, 2010 05:51 AM
    I think there some file that is re-creating these files and that file is not detected by SEP yet..
    Try this

    Delete everything from
     %temp%
    C:\Windows\Temp
    and 
    Delete Browsing data from your Internet Explorer..
    Then check if they get re-created again.





  • 3.  RE: QSP Files????

    Posted Mar 22, 2010 05:52 AM
    i think its a trojan and symantec is finding and quarantines it.


  • 4.  RE: QSP Files????

    Posted Mar 22, 2010 06:02 AM
    Rafeeq,

    I have no idea whats causing it but if Malwarebytes, Trend Micro and Hitman Pro cant find it I doubt that it is a Trojan.

    Would it be that this file isnt added by default to the ignore ext list. Is it safe to do this?.


  • 5.  RE: QSP Files????

    Posted Mar 22, 2010 06:36 AM
    That files may not be virus,still try with this once
    Online Virus and Behavioural Scan Engines


  • 6.  RE: QSP Files????

    Posted Mar 22, 2010 07:27 AM
    Hi Timbo,

    Just judging by the names of the files (which is not always a good indicator) the following thread may be of interest to you: Trojan.FakeAV!gen24

    The advice there also applies to your case: the next step is to determine what process is creating those files so that we can get it submitted to Security Response, examined and defences prepared against it.

    Thanks and best regards,

    Mick


  • 7.  RE: QSP Files????

    Posted Aug 05, 2010 10:30 PM

    We were experiencing the same symptoms with about a dozen different PCs. Some were infected with different trojans. After cleaning the PCs, from time to time, these .qsp files would randomly appear in %windows%/temp. Scanning again would flag these files and quarantines or deletes them. Then we ran multiple scans from different products and nothing else would be found. A short while later, these .qsp files would appear again.

    So our investigation led us to use procmon to capture what was going on. It turns out that it appears that Rtvscan was actually using the quarantined files (.VBN) in the quarantine folder and placing them in the %windows%/temp folder. After deleting everything in the quarantine folder (all users/application data/symantec....../quarantine), we never experienced the .qsp files anymore.

    We're not sure what exactly is happening, but again it appears this way using procmon

    Rtvscan.exe
    ReadFile C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08F80000\4CF96039.VBN
    WriteFile C:\WINDOWS\Temp\4C5B0FAA.qsp