c:/Documents and Settings/All Users/Application Data/Symantec/Symantec AntiVirus Corporate Edition/7.5/xfer/48d8729e.tmp

a bunch of these files are detected

hi ,

you can add centralized exception for this folder from scanning.

Pete

Maybe. But i prefer not to. The problem so far continue to appear with one PC. I have tried to unisntall SEP, delete those folders manually and install SEP again. Now i see that Symantec AntiVirus Corporate Edition is back and SEP is now again detecting hundreds of time same virus in there.

I guess i should report that as a false positive too.

Hi,

  This tool support only in Windows 2003 OS ftp://ftp.symantec.com/public/english_us_canada/products/symantec_endpoint_protection/11.0/tools/

pete_4u2002 wrote:

hi ,

you can add centralized exception for this folder from scanning.

 

Pete

Where should i do this? I can't find it in antivirus policies.

Hi!!

Is located into the centralized exceptions policy, you need to add an exception choosing centralized exceptions/add/security risk exceptions/folder

Regards

I have added c:/Documents and Settings/All Users/Application Data/Symantec/Symantec AntiVirus Corporate Edition/7.5/xfer/ (including subdirs) as cetralized exception, but this doesnt help. SEP is hogging these PCs terribly while "detecting" thousands tmp files per seconds. Also it annoys users when they constantly see messages about "viruses".

Bringing up the old topic, as it wasnt ever answered or solved. Exceptions doesnt help and now it seems it is detecting in the other folder c:/Documents and Settings/All Users/Application Data/Symantec/Symantec Endpoint Protection/xfer/49d1a012.tmp

What is this xfer dir??? Is SEP saving deleted viruses in those tmp files and then detects them again?

so, finally i had to disable notification on clients, because it's just driving my users and me nuts to get hundreds of such "detections"..

Hi,

When you  are upgrading, please note to select the checkbox for Remove all logs/files.

Try and post here..

Rgrds,
SAM

I have exported install package into single exe file and it doesnt ask anything, just installs. I dont remember anything about logs/files in the installation package building dialog. I think SEP should do all the needed upgrading processes automatically. Also this wasnt happening all the time, just pops up time to time on different machines. It became more frequent during last 2-3 weeks. I now have 1000 of reports in Quarantined line all coming from one computer about those xfer/*.tmp files.

another folder - c:/Documents and Settings/All Users/Application Data/Symantec/SRTSP/Quarantine/***.tmp

what the heck is going on with that mad program?? Just wonderful. It cant detect widely known spam bot, suspiciuos file upload reports that they cant find a virus and basic support upload is not accepting my support id. Instead it detects thousands of tmp files in its own folders.. piece of sh..

So far the only fix for this is to uninstall SEP, clean all the folders i can find in Program Files and user profiles, though maybe only deleting of c:/Documents and Settings/All Users/Application Data/Symantec is sufficient. To be sure nothing is there i'm disabling System Restore after this and enable it back (so all restore points are deleted). Then i install SEP again and so far there is no xfer problem in that PC.

One of our pc's had the same problem yesterday. Updated from 10 to 11.0.2020.56 about a month ago. It started in the /xfer folder, but then after some troubleshooing, colorful words and deleting files in the xfer folder and from the quarantine list in SEP, it started doing ithe same thing in the /SRTSP/Quarantine folder. I had to do the same solution you did except I only deleted the c:/Documents and Settings/All Users/Application Data/Symantec folder. So far it hasn't come back. I hope this doesn't happen to all of our pc's which we upgraded from 10 to 11.

I have a theory that this issue is only triggered after some specific malware detection and moving to a quarantine. Then something happens to SEP and it starts to detect already quarantined files, but it cant do anything with already quarantined files and so it produces hundreds or thousands of detection log entries. Most of our pc's were updated from 10 to 11 a year ago or so. So far we had ~6 pc's with such issue out of ~150. Yesterday i've tried to call our local Symantec "expert" and he suggested to send my issues to Baltic Support unit (i'm from Lithuania). Will try this, as i have 4 (including this) issues not resolved yet, but i dont really want to make international calls for support. Ideally i would want Symantec to patch this or provide some quick solution, as reinstalling of SEP is too time consuming and i'm not sure will it fix that problem for good.

I am having the same issue. We have 5000 clients and over 100 machines are generating these false positives. Putting in a centralised exception for the XFER folder is no use as the .TMP file numbers grow and fill the disk as SEP is not cleaning them. I run our weekly scan on Sunday and when I get into the office on Monday I am greeted with between 35000 and 40000 "Virus Detections" each week. A call has been opened with Symantec for weeks now with no real help or feedback. This morning I upgraded the problem clients to the latest version SEP11 MR4 MP1 on the off chance that this might help but I dont hold much hope. Has anyone else tried this? Its amazing that this has not been addressed as a known issue by Symantec at this stage.

Simple upgrade on top of the old installation won't help i'm afraid. Only with clean reinstall i was able to get rid of that issue, at least for the moment (it didnt reappear yet). I mean you have to uninstall, delete Symantec dir in All users\Application data, install the newest version. Should be tough with over 100 clients.

Another update. As i said i have done clean reinstall in a few pc's. One of them was constantly detecting Bloodhound.PDF.3 virus in xfer dir before that. For a week or so it was quiet. Yesterday during a weekly scan it started to report the same virus in C:\Windows\Temp\DWH****.tmp files (80 detections so far). I will have to inspect that pc, but our users usually dont have rights to that dir, so it must be a system service putting those tmp files there. Maybe it was left behind after the uninstall, so probably we have to clean that dir too to make it trully clean reinstall..

Interesting coincidence is that SEP's definitions update process is called DWHwizard

Folks I upgraded my problem clients with MP1 and I have had no issue for two weeks. The upgrade is only 10 meg and can be pushed by the deployment wizard.

What do you mean by MP1? We already have 11.0.4014 MR4 MP1a. Or is this some separate patch?

new folders, now on Vista (before it was only with old XP clients and SAVC upgraded to SEP), now these Vista clients was initially installed with SEP 11.

c:/ProgramData/Symantec/SRTSP/Quarantine/

I'm having this same issue, we are running a combo of MR4MP1a and straight MR4 (some clients that han't been updated yet) the problem is popping up for me still on both versions.  Looks like this one is back to the drawing board.  I hate to add exceptions for an issue that should be fixed by the developers.

Reading the MR4 MP2 release notes i see:

Quarantine scan causes Auto-Protect detections in %temp% folder
Fix ID: 1525749
Symptom: DWHWizard.exe starts the quarantine scan and moves quarantined files in to the %temp% folder for scanning. Auto Protect will occasionally detect these infected files.
Solution: After extracting and re-scanning each quarantine item, the TMP file is deleted unless the state is now REPAIRABLE. Repairable files are used later, either to restore to the original location or to save back to Quarantine (REPAIR_ONLY mode). These files should be clean, so Auto-Protect should not detect anything in them.

Temporary Files should not be opened during automatic scan after updating virus definitions
Fix ID: 1525749
Symptom: An auto-protect detection is triggered upon opening a temporary file (DWH****.tmp) that was created by an automatic scan after updating virus definitions.
Solution: For full details see readme_sep.txt section titled "Temporary Files should not be opened during automatic scan".

So, maybe some of these issue will be fixed. Though we won't be updating soon probably.

This is still a problem with our MR4 MP4 clients. I would like Symantec to come up with a better solution than uninstall, deleted everything in the xfer folder, and then reinstall SEP. Is there away to handle this better from within the Symantec Endpoint Protection Manager (I am not look to add an exception to skip scanning this directory) ?

This is still a problem with our MR4 MP4 clients.

Please give the proper solution.

Thanxs...!!!!!!

We have SEP Version 11.0.4014.26 def version 2009-07-11 rev. 024
Every time it runs a full system scheduled scan, detects trojans in the folder:
c:/Documents and Settings/All Users/Application Data/Symantec/Symantec Endpoint Protection/xfer/
created morethan 50,000 files and harddisk is filled up .Please give me solution ASPS.

Scan type: Scheduled Scan
Event: Security Risk Found!
Security risk detected: Trojan Horse
File: c:\ProgramData\Symantec\Symantec Endpoint Protection\xfer\4a23d316.tmp
Location: c:\ProgramData\Symantec\Symantec Endpoint Protection\xfer
Computer: ADMIN
User: SYSTEM
Action taken: Delete succeeded
Date found: Sunday, July 12, 2009 10:27:51 AM

So far, after updating to 11.0.4202.75, i havent seen such issue anymore. 2-3 weeks.

1.   To reduce problems like these.  when you make a SEP client package,  in the "Client install settings" for this package select "Remove all previous logs and policies..."

I think that is what SAM_SHAIKH was referring to.

2.  Also to reduce problems with migrating from SAV to SEP,  configure your SAV clients ahead of time to only keep one day's log,  and to delete all quarantined items ASAP.  You could change you settings to not even quarantine, just delete.

3.  About remedying large amounts of detections involving the XFER folders, there is another good thread(s)  on that    What I have done is basically empty out the xfer folders and the Quarantine and do the other cleanup needed.

At this writing i am looking for more info on the \All Users\Application Data\Symantec\SRTSP   folder.

  Thanks
John