Temp file trojan
Created: 16 Dec 2010 | Updated: 27 Dec 2010 | 23 comments
Hi Experts
I having problem on my computer. A lot of temp files are created and were put into quarantine list as trojan.how do i trace the culprit of those temp files.Want to know created by which program.And are they really trojans.I couldn't delete from Enpoint console .FYI I am using VMWare workstation version.Is it possible those files were created by vmware?Below is screen shot
Discussion Filed Under:
Comments 23 Comments • Jump to latest comment
hi,
what is the SEP version, this issue has been fixed in RU6 MP1, however the RU6 MP2 is out. You install the current version. That should fix the issue.
Information on issue
http://www.symantec.com/business/support/index?page=content&id=TECH92399&locale=en_US
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
As mentioned above upgrade is the first solution,
DWH***.tmp files are detected in the user profile temp directory.
http://www.symantec.com/docs/TECH92399
Large numbers of .tmp files are being created in the xfer_tmp or 7.5/xfer folder and are being detected as threats.
http://www.symantec.com/business/support/index?page=content&id=TECH93590&locale=en_US
Prachand MCSE-2012 Symantec Technical Specialist (SCTS)
Are you familiar with Ccleaner. It is a simple utillty program that erases temp files. Run a scan and copy the temp file in the search box.
I ran into this also.
What is happening is Symantec will rescan the files in Quarantine when it downloaded new def files. When it does this is places those files in the Temp folder as a file named DWH***.tmp. Unfortunately it then detects those files as a Trojan.Gen and quaratines them.
What I did to fix it was:
Once those are both cleaned out it should stop happening.
I also wrote a batch script that clears out all the Temp folders, for all users, and Recycler.
You may need to modify it not to include C:\Temp. Some of our clients were re-pointed to C:\Temp for their temp locations, if yours are not just remove that line.
This also only works in XP right now. Working on modifying it to run in Win7
Which ersion you run - should be fully resolved if you upgrade to RU6 MP2 (current version).
--
Cheers,
Symantec Technical Specialist
Symantec Certified Specialist
MCP & MCITP
Cisco Certified Network Associate
Citrix Certified Administrator
Just realized I uploaded the wrong version of the zip. The one I uploaded would only remove the files and not the folders in the Temp directories. Sorry.
Here is the right one.
Hi
I have installed and upgraded Symantec_Endpoint_Protection_11.0.6_MP2_Xplat_EN_DVD as i was suggested in this forum.Since that upgraded i am running into some problems.
I can't make any reports in SEP console.And in the monitor page shows nothing for any summary.Seems update has problem.how could i remove that or any better solution.
Rgds
Are the reports blank or the page does not appear at all??
Prachand MCSE-2012 Symantec Technical Specialist (SCTS)
Yes it's blank totally I have attached screen shot. Apparently i cannot logout as well.Even i have logout console is still active and buttons are still alive
Actually i am just wanna remove that update already since i am still getting temp file trojans alert.Can anyone please guide me to remove update (Symantec_Endpoint_Protection_11.0.6_MP2_Xplat_EN_DVD) or replace with correct one.
I am not sure about compatiblity as well. I am using window 2008 (standard) for SEP Server.
I don't think there is a way to downgrade the console. What you can do is to perform Disaster recovery with your previous version and DB backup.
Preparing for and Recovering from Disaster with Symantec Endpoint Protection
http://www.symantec.com/docs/TECH105658
Best Practices for Disaster Recovery with the Symantec Endpoint Protection Manager
http://www.symantec.com/docs/TECH102333
--
Cheers,
Symantec Technical Specialist
Symantec Certified Specialist
MCP & MCITP
Cisco Certified Network Associate
Citrix Certified Administrator
OMG that will be a lot of things bro.do i need to do the whole process? i just want reporting function to back in normal
I don't see why reporting component should not work... I would start with troubleshooting the reporting component and not by disaster recovery which it the very last option :-)
--
Cheers,
Symantec Technical Specialist
Symantec Certified Specialist
MCP & MCITP
Cisco Certified Network Associate
Citrix Certified Administrator
Hihi
then where do i start trouble shoot the reporting component
Tks a lot
What heppens when you put the address http://YOU_SEPM_ADDRESS:8014/reporting ?
I saw the screenshot you put a few posts above - do you run the console via Citrix?
--
Cheers,
Symantec Technical Specialist
Symantec Certified Specialist
MCP & MCITP
Cisco Certified Network Associate
Citrix Certified Administrator
Hi
It seems fine on remote login .page as file attached.
http://YOU_SEPM_ADDRESS:8014/reporting
but i don't know why i cant find that info on server admin page.
No , I am not using cytrix.SEPM is running on window server 2008
there is another sybase database software running on that server also.
Ok, to sum up - when you go through the web browser - the report charts are there but if you open SEPM console (locally) - they are blank, on exactly the same page, right?
--
Cheers,
Symantec Technical Specialist
Symantec Certified Specialist
MCP & MCITP
Cisco Certified Network Associate
Citrix Certified Administrator
yup exactly
Don't you login to this server via Remote Desktop BTW?
--
Cheers,
Symantec Technical Specialist
Symantec Certified Specialist
MCP & MCITP
Cisco Certified Network Associate
Citrix Certified Administrator
Usually I use VNC viewer for remote administration.
Hi
Thanks for helping me along the way.
I am still unable to put the tmp files into the exception list.
keep getting the below error
Scan type: Auto-Protect Scan
did you check manually scanning the system in safe mode, if not worth giving it a try. It's RU6 MP2, right?
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
it is needed in case of disaster in upgrade etc. Esle the client will not communicate with SEPM and you have to manually update the SEP clients with sylink.
Cheers!
Pete
Help Link: http://www.symantec.com/business/support/overview.jsp?pid=54619
Would you like to reply?
Login or Register to post your comment.