Endpoint Protection

In widows XP client PC,  Symatec EP making alot of files under XFER folder.

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer .  this folde size extending up to the full size of c drive. . please provide me a solution to get rid of it.

please check this link

https://www-secure.symantec.com/connect/forums/tmp-files-issue-xfer-folder

will help you to fix the issue :)

Hi,

       
Stop the Symantec service

Symantec Endpoint Protection

Click Start, then Run
Type smc -stop
Click OK

Symantec AntiVirus

Click Start, then Run
Type services.msc
Click OK
Right-click and Stop the Symantec AntiVirus service

Deleting the files
The following instructions are to be done from the command prompt as attempting to perform the deletions from the Windows user interface may result in delays and application hangs due to the large amount of files that can reside in these locations.

Open the command prompt

Click Start, then Run
Type cmd
Click OK

Deleting files from User Temp folder

Type the following command in command prompt (The following string will vary depending on the user name):

    DEL /F /Q "C:\Documents and Settings\<NAMEOFUSER>\Local Settings\Temp"

replace "<NAMEOFUSER>" with the username of the desired Windows user you wish to empty the temp folder for


Deleting the temp folder at the root of C:\


Type the following command in command prompt:

DEL /F /Q C:\temp

Deleting the Windows Temp folder


Type the following command in command prompt:

DEL /F /Q C:\WINDOWS\Temp


Deleting the contents of the xfer and/or xfer_temp directories


Symantec Endpoint Protection


Type the following command in command prompt:

DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp\"


Symantec AntiVirus

NOTE:  For migrations from Symantec AntiVirus to Symantec Endpoint Protection, be sure that the below locations do not also exist


Type the following commands in command prompt:

DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer"
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer_tmp"
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp"
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer"

The Quarantine Folder
The following instructions are to be done from the command prompt as attempting to open the Quarantine folder in the Windows user interface may result in delays and Windows Explorer application hangs due to the large amount of files that can reside there.


Delete the Quarantine Folder


Symantec Endpoint Protection


Type the following commands in command prompt:

DEL /F /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"

RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"


Symantec AntiVirus

NOTE:  For migrations from Symantec AntiVirus to Symantec Endpoint Protection, be sure that the below location does not also exist


Type the following commands in command prompt:

DEL /F /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine"

RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine"


Recreate the Quarantine Folder


Symantec Endpoint Protection

Type the following command in command prompt:

MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"


Symantec AntiVirus

Type the following command in command prompt:

MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine"


Start the Symantec service

Symantec Endpoint Protection

Click Start, then Run
Type smc -start
Click OK

Symantec AntiVirus

Click Start, then Run
Type services.msc
Click OK
Right-click and Start the Symantec AntiVirus service

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009042217073548

Sandip (and Symantec support in general),

While I agree this will help clear up the issue it does little/nothing to resolve the underlying issue. Why is the application doing this and how can it be fixed to prevent this from happening again?

Thanks

Which version of SEP client you are using ??

Yes there was a problem in MR2.MP2 or MR3 client. which has been resolved in MR4.

Now the current version is SEP 11 RU5 .

Upgrade ur clients to  RU5.

Regards...
Ramji Iyyer

Yes make sure that you are atleast using MR4 MP2

We are using MR4MP2 and RU5.  Yet we still experience the issue on occasion.

Dear sand

the below solution helped me to remove the temp files from xfer folder. thanks for the solution. but i m looking for a permenant remedy to get rid of this annoying stuff.... please help me

All,

I just want to let you know where we are with this.  We have genuinely fixed the issue in certain circumstances, but accept its not completely fixed and are working to understand why.  It is also compounded a little due to the fact that in some instances we are actually seeing REAL threats being detected in these files.

We have one of our highest level engineers working on this at the moment, but we do have a couple of questions which would assist us greatly:

1. When you see the issue, how is it being reported?  Is it in realtime, or through a scheduled scan?
2. Is it reported more than once (ie does it come back on the same machine, and how many times)?
3. Do you have client logs that you can upload for us to take a look at?

Many thanks, further updates here as I get them.

here is the answer for your queries

1)its reporting realtime. we can the treads in  Quarantined list of server

2) Yes this is recurring in 95% of clients , in some case if we reinstall  SEP client will solve the problem. otherwise we have to reinstall the os

3)  i hv the client logs. giveme you email id i can forward the same to you.

Thanks, Riyasbasheer.

Please mail them to Gustaves.

Here is another more general question, or you can wait until I look at the information you send me.

<< I would appreciate if some one can look in the their quarantine as the problem starts to occur. You will see quarantine of many files from the xfer folder. Please look before that and see what was detected with the same threat name..Please upload a screen shot of the details of the quarantine entry. >>

So in your case, Riyasbasheer - the initial detection was real-time, or all folders in the xfer folder are detections by real-time?

<< Additionally it would be helpful if someone can verify that when you see a list of files quarantined from the xfer folder, that every few quarantine entries the entry is missing a file name. >>

Gustaves

Any updates on the permenant solution?

Had this issue today on a laptop in my company!

more than 22.000 files were created in the xfer directory - until the disk was full and the employee was unable to use the computer.
this program failures are causing a lot of money!

hope there is a fix / permanent solution very soon!

Hi everybody,

Here is a work-around and my update on the issue.

The likely work-around is to disable rescanning of the quarantine items when new definitions arrive. I have not yet seen here the scenario where the files get leaked, but the only time they are created is during rescan of quarantine items.

To easily disable rescanning of quarantine items on SEP 11.x set the registry key

[HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\Quarantine]
"DefWatchMode"=dword:00000003

Once that is set you can clean up the quarantine folder as outlined above and things will stay under control.

What is happening is that during scanning of the files in the quarantine, either when new definitions arrive, or when you open the Quarantine dialog to rescan the files, we extract a temporary copy of each quarantined threats to rescan it. When we do that we are leaking a temporary copy of it in to the Xfer folder. There are a couple of reasons that might happen and I am still tracking this down.

Initially the only items in the quarantine are the originally detected threat. As we leak copies of the threat in to the xfer folder they are detected by scheduled scans or indexing, and are quarantined. This gradually feeds on itself.

The copy in the quarantine folder has a secure wrapper around it so that isn't detected as a threat. The copy left in the xfer folder is not wrapped.

Detecting the file in the xfer folder is only a symptom that we leaked the file. The actual problem is the file getting leaking in to the folder sometime earlier.

Any logs from the beginning of the problem are appreciated. Those precede the accumulation of the files in the xfer folder.

Thanks,
Gustaves.