Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SEP flaging curious .qsp files

Created: 22 Mar 2010 • Updated: 22 Mar 2010 | 8 comments

Hi people,

I am running SEP ver 11.0.4000.2295.
In the main manager page (Home) I seem to be getting a number of infected files with a .qsp extension.

I have run SEP in safe and normal mode. I have run Malwarebytes, Hitman Pro and Trend Micro online scan and found nothing.

But every now and then SEP flags up this odd .qsp file and quarantines it!!!!

Any ideas?

For example:

C:/WINDOWS/Temp/4ba21b55.qsp

Comments 8 CommentsJump to latest comment

Thomas K's picture

Threat Expert reports .qsp files as adware programs. What threat name is Symantec detecting this file as?

http://www.threatexpert.com/report.aspx?md5=01634c...

Mick2009's picture

Hi again Timbo,

Have you submitted any of these files to Symantec Security Response?  What about threatexpert.com's automated analysis?  What was the news on them?

Thanks and best regards,

Mick

With thanks and best regards,

Mick

WC's picture

We were experiencing the same symptoms with about a dozen different PCs. Some were infected with different trojans. After cleaning the PCs, from time to time, these .qsp files would randomly appear in %windows%/temp. Scanning again would flag these files and quarantines or deletes them. Then we ran multiple scans from different products and nothing else would be found. A short while later, these .qsp files would appear again.

So our investigation led us to use procmon to capture what was going on. It turns out that it appears that Rtvscan was actually using the quarantined files (.VBN) in the quarantine folder and placing them in the %windows%/temp folder. After deleting everything in the quarantine folder (all users/application data/symantec....../quarantine), we never experienced the .qsp files anymore.

We're not sure what exactly is happening, but again it appears this way using procmon

Rtvscan.exe
ReadFile C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08F80000\4CF96039.VBN
WriteFile C:\WINDOWS\Temp\4C5B0FAA.qsp

MrInfoSys's picture

I have been seeing this issue in my environment a lot lately.  I took the advice of WC and removed the quarantine files then deleted the hidden system *.qsp files in the windows\temp directory.  That has quieted the notifications for a while but they are starting back up again.  I am seeing directory sized swelling to over 3gig on both windows\temp and quarantine folders.  These qsp files are being flagged as infected with W32.IrcBruce and W32.Pilleuz.  I have tried to upload these files to threatexpert but they do not accept *qsp files.

Any help would be greatly appreciated!

Thanks,

Chris

John_Prince's picture

We have an internal document on this, I will post it below:

Problem
After a file is successfully quarantined, repeated detections occur approximately every ten minutes in C:\Windows\Temp on .qsp, or .tmp or .qef files

Symptoms
A threat is quarantined successfully.
After that, the same threat is detected repeatedly in a C:\Windows\Temp in a .tmp, .qef, or .qsp file, with default actions of Left Alone.

Cause
Investigating. This appears to be caused by clients configured to forward new threats to a quarantine server. 
 
Solution
Disable fowarding new threats to a quarantine server on AntiVirus and AntiSpyware policy.

Please be aware I would consider the solution as a workaround as we are still investigating. It would be a good idea to log a case with support so we can better track this issue.

Remote Product Specialist, Business Critical Services, Symantec

MrInfoSys's picture

Great!  Ty for the reply.  I have implemented that workaround in my environment.  I guess I'll just wait and see if there are any more spikes in detections.  How will I know if there is a fix for this issue?

Thanks!

Chris

John_Prince's picture

I did some more digging and I don't see any open defects or anything on this. I think your best bet would be to open a case with support to see if we can gather any additional data from you to help determine how to fix it. If you choose to do so, you can refer the tech agent to the following internal document:

Document ID: TECH132797

Title: Repeated detections of quarantined threats in C:\Windows\Temp

Remote Product Specialist, Business Critical Services, Symantec

MrInfoSys's picture

After a few days of testing different policies on these mysterious detections, I finally reinstalled the client on all of these computers.  I deleted the quarantine folders and deleted all qsp files in windows\temp.  After the client was reinstalled there were no more "false" detections.