Endpoint Protection

Occasionally a Virus will be identified by SEP and a positive action will be taken on the file, such as Cleaned by Deletion.  Subsequent scanning of this system will trigger additional alerting stating that the filepath is (c:/Documents and Settings/All Users/Application Data/Symantec/SRTSP/Quarantine/APQ3.tmp), but the initial action never executed a quarantine action and there is nothing in the local quarantine that can be deleted via the SEPM or client UI. 

Can someone please explain why this occurs and how to best react?  In general is this system is still at risk or not?  If the object has been isolated I do not want additional alerts to confuse or distract.

Thank you for your help.
CJ

This same thing happened to me for the first time yesterday.  I don't have an answer either.

Sutton

The files that are quarantined do not have the tmp extension but the VBN

So there are high chances that it's not a false postive but a real threat. It's always recommended to full scan a system after threat has been detected to ensure that there are no remanants.

Also disable system restore.

Is the noted file location (Documents and Settings/All Users/Application Data/Symantec/SRTSP/Quarantine) where the SEP stores objects upon quarantine action?  Are there viruses that are known to use this location to place files?

Hi Cj, yes, this is the quarantine folder of the client.

I don't think 'C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine' is the right Quarantine folder in the first place. because we have configured SEP Antivirus and Anti-Spyware policy to choose the default Quarantine folder and the Quarantined items are saved in 'C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine' folder in fact.

Can someone from Symantec please confirm on what is right Quarantine folder when we select SEPs default Quarantine folder as an option?

-Govardhan

Hi Govard, I believe the path that you gave is the quarantine folder for SAV.

I think quarantine folder for SEP is:

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer

The malware is hiding in the c:/Documents and Settings/All Users/Application Data/Symantec/SRTSP/Quarantine folder, I watched a trojan today that went undetected by SEP 11.004 with the May 21st defs write files into the folder. The trojan's original file name was sonce_1242968635.exe. I have seen others with that name get detected as W32.Koobface.A.

A clever way to hide your trojan if you ask me. Here is a differnt example

Looks like we have the same issue. Any further insight?

Quickly I'll explain what i found.

The SRTSP folder looks like it is used in the scanning process by Endpoint Protection I ran a few tests and noticed when an application is run a .tmp file is create dint the SRTSP/StETmp folder. I submitted the stonce_124294.exe and other varients I found to Symantec's submission system but havn't heard back yet. 


-Wayne 

I believe this is a defect that should be remedied in MR4 MP2 (11.0.4202.x).

We are using SEP 11.04202.75
I have a few computers that have picked up the Trojan.Clami!gen virus. It originally found a few different files (C:\documents and settings\%USERNAME%\start menu\programs\startup\uninstall.exe or //UNC path to %username%/application data/upnpsvc.exe or msiexeca.exe) They were detected and quarantined. Did not come back.
One has been detected in C:\windows\system32\2.EXE.  This one seems to be quarantined successfully. Cannot find it on the system. Cleared Registry entries suggested by Symantec regarding any instance of 2.exe and internet settings keys.
Every couple hours it detects it again and quarantines it. Only been getting this for the 2.EXE file.
I noticed it goes to the SEP quarantine folder but there are also items in the SRTSP folder. some users do not have access to open this folder and view what is in it. System normally only has access.
Is this virus really there or does it keep detecting itself.
Even after cleaning out the SRTSP folder it keeps detecting it.
I have run malware and pcdoctor. Cleaned everything detected and ran a full SEP scan. Finds nothing. Then it picks it up again. Sometimes after it picks it up and I wait a few and scan it will detect it again.

Any suggestions. This is only happening on machines that we have just upgraded to SEP. We are in the process fo migrating all machines from SAV Corp 10.1.7000 to SEP 11.04202.75.

Thank you

Scan identifies thousands of quarantined files and scan does not end

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/b1a4e4e9efe6313a882576b70082e771?OpenDocument

Cheers
liang zheng

Recently I got a fakeAV in my machine and I ran a full system scan. After that it seems like everything working fine. But now again it shows some FakeAVs inside "C:\documents and settings\alluser\application data\symantec\SRTSP\quarantine". Do I need to run the full system scan again. Because it took very long time to finish the scan. 

 

Please advice.

In the SEP client, go to View Quarantine, then delete all items from the Quarantine and remove all temp files from the SRTSP folder noted above.

RU6 MP1 has additional fixes for these temp file detections so I would recommend migrating up if you have not already.

sandra

Hey Sandra,

 

I found this problem also.

after open SEP client and go to view quarantine. delete menu is grey and can't click.

and SRTSP Folder can't access. it's show "access denied"

 

How can I clear quarantine folder?

Are you an admin on your own box?  I wonder if permissions haven't been messed up.  Can you try to repair the installation?

sandra

Dear Sandra.G ( symantec employee )

In our company we already have RU6 MP1 and ever since we have various DWH*.tmp false virus detections. Idem dito recurring .....SRTSP\Qouarantine*.tmp virus detections. Now I don't think that they are actually virusses, I do believe that these detections are SEP fault. Is there maybe another fix to resolve this?

@theseng99: You have to change manually the permissions on the SRTSP\Qurantine folder to be able to open it and delete its contains.

Regards,

Skris

Was migration done from RU6 or RU6a?  I don't have an explanation for why you might still be experiencing this issue given the information I have here aside from a failed migration.  I would suggest going through the steps in this document and the one linked from this one.

"When new virus definitions are in place and the quarantine is being scanned, a DWHxxx.tmp file is created and detected by Auto-Protect"
http://www.symantec.com/docs/TECH102953

sandra

I am having the DWH tmp file problem and the SRTSP tmp file too. 

If there is one or two machines, we can do it manually. If there is thousand of machines it is ridiculous.

Hello,

Please Work on the Following Steps.

Stop the Symantec service

• Symantec Endpoint Protection

  • Click Start, then Run
  • Type: smc -stop
  • Click OK

Deleting the files

NOTE: The following instructions are to be done from the Command Prompt as attempting to perform the deletions from the Windows user interface may result in delays and application hangs due to the large amount of files that can reside in these locations. Please note that these instructions will delete the files in the targeted directories, not the directories themselves. Do not remove the directories themselves, only the contents of those directories.

 

Open the Command Prompt

Deleting files from User Temp folder

• Click Start, then Run
• Type: cmd
• Click OK

 

1. Type the following command in Command Prompt. (The following string will vary depending on the user name.) Replace "<NAMEOFUSER>" with the username of the desired Windows user you wish to empty the temp folder for:

For Windows 2000/XP/2003

DEL /F /Q "C:\Documents and Settings\<NAMEOFUSER>\Local Settings\Temp"

For Windows Vista/7/2008

DEL /F /Q "C:\Users\<NAMEOFUSER>\AppData\Local\Temp"

 

2. Deleting the contents of the temp folder at the root of C:\

• Type the following command in Command Prompt:

  DEL /F /Q C:\temp

3. Deleting the contents of the Windows Temp folder

• Type the following command in Command Prompt:

  DEL /F /Q C:\WINDOWS\Temp

4. Deleting the contents of the xfer and/or xfer_temp directories

• Type the following command in Command Prompt:
  • • Windows 2000/XP/2003
      DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp\"

      DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\"

    • Windows Vista/7/2008
      DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer_tmp\"

      DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer\"

 

The Quarantine Folder

NOTE: The following instructions are to be done from the Command Prompt as attempting to open the Quarantine folder in the Windows user interface may result in delays and Windows Explorer application hangs due to the large amount of files that can reside there.

 

Delete the Quarantine Folder

Type the following commands in the Command Prompt:

• Windows 2000/XP/2003
  DEL /F /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"

  RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"

• Windows Vista/7/2008
  DEL /F /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

  RD /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

 

Recreate the Quarantine Folder

Type the following command in Command Prompt:

• Windows 2000/XP/2003
  MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
• Windows Vista/7/2008
  MD "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

 

Start the Symantec service

• Click Start, then Run
• Type: smc -start
• Click OK