Endpoint Protection

 Hi Experts

                 I having problem on my computer. A lot of temp files are created and were put into quarantine list as trojan.how do i trace the culprit of those temp files.Want to know  created by which program.And are they really trojans.I couldn't delete from Enpoint console .FYI I am using VMWare workstation version.Is it possible those files were created by vmware?Below is screen shot 

hi,

what is the SEP version, this issue has been fixed in RU6 MP1, however the RU6 MP2 is out. You install the current version. That should fix the issue.

Information on issue

http://www.symantec.com/business/support/index?page=content&id=TECH92399&locale=en_US

As mentioned above upgrade is the first solution,

DWH***.tmp files are detected in the user profile temp directory.

 http://www.symantec.com/docs/TECH92399

Large numbers of .tmp files are being created in the xfer_tmp or 7.5/xfer folder and are being detected as threats.

http://www.symantec.com/business/support/index?page=content&id=TECH93590&locale=en_US

Are you familiar with Ccleaner. It is a simple utillty program that erases temp files. Run a scan and copy the temp file in the search box.

I ran into this also.  

What is happening is Symantec will rescan the files in Quarantine when it downloaded new def files.  When it does this is places those files in the Temp folder as a file named DWH***.tmp.  Unfortunately it then detects those files as a Trojan.Gen and quaratines them.  

What I did to fix it was:

1. Clear out the temp folder.  You can either do this from the GUI or from a command prompt.
2. Clear out the quarantine folder.  You can do this from the SEP GUI.

Once those are both cleaned out it should stop happening.  

I also wrote a batch script that clears out all the Temp folders, for all users, and Recycler.

You may need to modify it not to include C:\Temp.  Some of our clients were re-pointed to C:\Temp for their temp locations, if yours are not just remove that line.  

This also only works in XP right now.  Working on modifying it to run in Win7

Attachment(s)

Temp Files.zip   381 B 1 version

Which ersion you run - should be fully resolved if you upgrade to RU6 MP2 (current version).

Just realized I uploaded the wrong version of the zip.  The one I uploaded would only remove the files and not the folders in the Temp directories.  Sorry.

Here is the right one.

Attachment(s)

Temp Files_0.zip   381 B 1 version

Hi

I have installed and upgraded  Symantec_Endpoint_Protection_11.0.6_MP2_Xplat_EN_DVD as i was suggested in this forum.Since that upgraded i am running into some problems.

I can't make any reports in SEP console.And in the monitor page shows nothing for any summary.Seems update has problem.how could i remove that or any better solution.

Rgds

Are the reports blank or the page does not appear at all??

Yes it's blank totally I have attached screen shot. Apparently i cannot logout as well.Even i have logout console is still active and buttons are still alive

Actually i am just wanna remove that update already since i am still getting temp file trojans alert.Can anyone please guide me to remove update (Symantec_Endpoint_Protection_11.0.6_MP2_Xplat_EN_DVD)  or replace with correct one.

I am not sure about compatiblity as well. I am using window 2008 (standard) for SEP Server.

I don't think there is a way to downgrade the console. What you can do is to perform Disaster recovery with your previous version and DB backup.

Preparing for and Recovering from Disaster with Symantec Endpoint Protection
http://www.symantec.com/docs/TECH105658

Best Practices for Disaster Recovery with the Symantec Endpoint Protection Manager
http://www.symantec.com/docs/TECH102333

OMG that will be a lot of things bro.do i need to do the whole process? i just want reporting function to back in normal

it is needed in case of disaster in upgrade etc. Esle the client will not communicate with SEPM and you have to manually update the SEP clients with sylink.

I don't see why reporting component should not work... I would start with troubleshooting the reporting component and not by disaster recovery which it the very last option :-)

Hihi

then where do i start trouble shoot the reporting component

Tks a lot 

What heppens when you put the address http://YOU_SEPM_ADDRESS:8014/reporting ?

I saw the screenshot you put a few posts above - do you run the console via Citrix?

Hi

It seems fine on remote login .page as file attached.

http://YOU_SEPM_ADDRESS:8014/reporting

but i don't know why i cant find that info on server admin page.

No , I am not using cytrix.SEPM is running on window server 2008

there is another sybase database software running on that server also.

Ok, to sum up - when you go through the web browser - the report charts are there but if you open SEPM console (locally) - they are blank, on exactly the same page, right?

yup exactly

Don't you login to this server via Remote Desktop BTW?

Usually I  use VNC viewer for remote administration.

Hi

Thanks for helping me along the way.

I am still unable to put the tmp files into the exception list.

keep getting the below error

  Scan type: Auto-Protect Scan

did you check manually scanning the system in safe mode, if not worth giving it a try. It's RU6 MP2, right?