Video Screencast Help

SEP gone crazy with EICAR file

Created: 03 May 2013 • Updated: 03 May 2013 | 8 comments
This issue has been solved. See solution.

I pasted the EICAR string onto a text file and the very instant I save, the text file disappears, and I'm flooded with SEP notification dialogs. I was unable to close it as the notification just keep popping up. 

I noticed that many version of tmp files are created in C:\ProgramData\Symantec\SRTSP\Quarantine. On the status bar, it is showing notifications count in tens of thousands. I had to manually delete the tmp files in the Quarantine folder before it stops.

Now on the SEPM home page, I noticed that under the Action Summary by Detection Count, the Blocked Viruses count is increase on every interval. From 100 to 200... now at 700+ not sure when it will stop. 

Downloaded and update the latest rapid release on both my client & SEPM machine and running a full scan just to make sure everything is fine. 

Do I need to be concerned about the ever increasing Blocked count? What could I have possibly done wrong here with the test virus file. 

I tested on a client running Windows 7. My SEPM is installed on Windows 2008 server. SEP version is 11.0.7

Operating Systems:

Comments 8 CommentsJump to latest comment

W007's picture

hello,

Do you have confirm it's happend after test eicar file ?

you can need to scan your systemNorton Power Eraser tool

 

Check this might be Know issue

DWH***.tmp files are detected in the user profile temp directory.

Article:TECH92399  |  Created: 2009-01-16  |  Updated: 2012-04-27  |  Article URL http://www.symantec.com/docs/TECH92399

 

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Rafeeq's picture

click on that 879 it will give you the list. does it say it was Eicar or some other virus which was blocked by SEP client..?

.Brian's picture

What's the location of the file being blocked?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

ninpeh's picture

Brian, the location is at C:\ProgramData\Symantec\SRTSP\Quarantine

Went into that folder to check, it is currently empty. no hidden file.

.Brian's picture

This is a known issue/bug. I would suggest upgrading to the latest version of SEP/m to resolve.

Check the steps here to delete the quarantine on the SEP client

http://www.symantec.com/business/support/index?pag...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

ninpeh's picture

Manish, scanned and found no virus. Gone through the known issue and does not seems relevant because the tmp files are found in Quarantine folder instead of temp folder..

Rafeeq, I've clicked on it and it is all multiple entries of EICAR virus (attached).

I like to believe the test virus has been successfully removed since a full scan on the client came out good. 

I am just a little concern about the growing detection count. Now it is at 1134.

SEPMDetection.JPG
Beppe's picture

Hello,

please, have a look at this article:

www.symantec.com/docs/TECH167254

Regards,

Giuseppe

SOLUTION
ninpeh's picture

thanks beppe, just found out that it is a known issue. 

as i wont be free to upgrade the SEP client for the time being, I tried to change the policy. but strangely, it freezes the SEPM.