Endpoint Protection

SEP has been detecting Trojan.Malscript!html and Downloader weekly on our Lotus Notes server.  It is always on the same weekday at around the same time, and this is not during SEP's scheduled scan.  Each detected file is a *.DTF file located in a Notes temp folder in C:\WINDOWS\Temp.

This has just started in mid-February and I do not know of any changes made to Notes that would cause this.  Each time it is detected we delete the quarantined files, but it just comes back the next week.

Has anyone else had a similar issue?  Any ideas on what would cause this and how to solve it?

Hi,

Which SEP version you are using ?

The SEP clients and the SEPM server are all on 11.0.4000.2295

Hello,

Migrate Please.

Since you are carrying  Older version 11.0.4000

We recommend you to upgrade the Symantec Endpoint Protection Manager and all clients to Latest version.

Since you are carrying old version, there would be 2 upgrades you will have to go through. Please check the steps below:

1) From Symantec Endpoint Protection 11.0.4000  to Symantec Endpoint Protection 11.0.6005 (RU6a)

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/6f5427dfdd4a0cc18825770400611b5a?OpenDocument

2) From Symantec Endpoint Protection 11.0.6005 (RU6a) to Symantec Endpoint Protection 11.0.6300 (RU6 MP3)

http://www.symantec.com/business/support/index?page=content&id=TECH155655

Reason:---> check the Release Notes below:

Release notes for Symantec Endpoint Protection 11.0.x and Symantec Network Access Control 11.0.x

Hi,

Virus detection in temp folder is somehow known issue.

Upgrade can be one of the possible solution to overcome .

Your upgrade path would be 11.0.4 -->11.0.6/11.0.6a-->11.0.6 MP3

Go through following link which may help you.

http://www.symantec.com/security_response/writeup.jsp?docid=2008-011517-3725-99

http://www.symantec.com/connect/forums/i-need-help-removing-trojanmalscripthtml-manually