Video Screencast Help

Security risk detected: Trojan.Maljava!gen23

Created: 10 Aug 2012 • Updated: 14 Aug 2012 | 4 comments
This issue has been solved. See solution.

I keep getting these messages from auto-protect, sometimes hundreds per day I have done a full scan, but why does it not totally remove this virus?

How can I remove the source of the virus, rather than catching the effects of it in auto-protect. I am familiar with file and registry deletions, and can manually remove it. Any suggestions?

 

Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: Trojan.Maljava!gen23
File: C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer\5025488A.TMP
Location: C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer

Thanks,

dburchfield2000

Comments 4 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

What version of SEP 11.x are you running?

Make sure you are running the Latest version of SEP 11.0.7101 and above.

Check this Thread: https://www-secure.symantec.com/connect/forums/sep-xferxxxxtmp-always-prompt-infection

That issue is largely resolved in the latest release of SEP 11 (RU6 MP3) and will be entirely resolved in the forthcoming SEP 12.1 I recommend upgrading as soon as is possible!

Stop the Symantec service

  • Symantec Endpoint Protection

    • Click Start, then Run
    • Type: smc -stop
    • Click OK

Deleting the files

NOTE: The following instructions are to be done from the Command Prompt as attempting to perform the deletions from the Windows user interface may result in delays and application hangs due to the large amount of files that can reside in these locations. Please note that these instructions will delete the files in the targeted directories, not the directories themselves. Do not remove the directories themselves, only the contents of those directories.

Open the Command Prompt

Deleting files from User Temp folder

  • Click Start, then Run
  • Type: cmd
  • Click OK

1. Type the following command in Command Prompt. (The following string will vary depending on the user name.) Replace "<NAMEOFUSER>" with the username of the desired Windows user you wish to empty the temp folder for:

  • For Windows 2000/XP/2003
     DEL /F /Q "C:\Documents and Settings\<NAMEOFUSER>\Local Settings\Temp"
  •  For Windows Vista/7/2008
     DEL /F /Q "C:\Users\<NAMEOFUSER>\AppData\Local\Temp"

2. Deleting the contents of the temp folder at the root of C:\

  • Type the following command in Command Prompt:

    DEL /F /Q C:\temp

3. Deleting the contents of the Windows Temp folder

  • Type the following command in Command Prompt:

    DEL /F /Q C:\WINDOWS\Temp

4. Deleting the contents of the xfer and/or xfer_temp directories

  • Type the following command in Command Prompt:
      • Windows 2000/XP/2003
        DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp\"

        DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\"

      • Windows Vista/7/2008
        DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer_tmp\"

        DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer\"

The Quarantine Folder

NOTE: The following instructions are to be done from the Command Prompt as attempting to open the Quarantine folder in the Windows user interface may result in delays and Windows Explorer application hangs due to the large amount of files that can reside there.

Delete the Quarantine Folder

Type the following commands in the Command Prompt:

  • Windows 2000/XP/2003
    DEL /F /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"

    RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"

  • Windows Vista/7/2008
    DEL /F /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

    RD /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

Recreate the Quarantine Folder

Type the following command in Command Prompt:

  • Windows 2000/XP/2003
    MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
  • Windows Vista/7/2008
    MD "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

Start the Symantec service

  • Click Start, then Run
  • Type: smc -start
  • Click OK

If you have frequent recurrences of this issue and would like to disable re-scanning of the quarantine folder please follow these steps:

Disable re-scanning of quarantine files.

From the SEP-Manager:
- Edit the Antivirus and Antispyware policy of affected clients.
- In the policy editor click "Quarantine" on the left-hand menu.
- On the general tab click "Do nothing" under the heading "When new Virus Definitions Arrive"

 

Check the Release Notes: http://www.symantec.com/docs/TECH103087

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SOLUTION
cus000's picture

Whats the action taken?

 

Source of the threat? Is it your PC itself and not from remote PC?

John Q.'s picture

Another article about such detection in XFER folder:
http://www.symantec.com/docs/TECH93590

 

Additionaly, I would anyway recommend you to ensure Java is up-to-date on all machines as per security Best Practices, to avoid Maljava infections.

 

Please remember to mark the proper comment as SOLUTION:
 - to identify threads that do not require further assistance
 - to let other visitors know how to fix such issue

dburchfield2000's picture

Thanks Mithun, John Q, and Cus000,

My IT dept upgraded my SEP version to 11.0.7200.1147. I also updated my Sun JAVA to the latest version.

The problem seems to have been resolved. Thanks for your help.