Endpoint Protection

 View Only

  • 1.  virus help

    Posted Aug 23, 2009 04:31 PM
    I seem to have virus on my Vista computer.  Symantec Endpoint Protection constanlty runs a scan and keeps finding a downloader over and over.  It says it quarantines the virus, but then it finds the downloader again a few seconds later.  It finds the downloader thousands of times and never gets rid of it.  The pop up box says the following:

    Scan type: Scheduled Scan
    Event: Security Risk Found!
    Security risk detected: Downloader
    File: c:\ProgramData\Symantec\Symantec Endpoint Protection\xfer\4a7ba68d.tmp
    Location: Quarantine
    Computer: HTPC-PC
    User: SYSTEM
    Action taken: Quarantine succeeded
    Date found: Sunday, August 23, 2009  2:12:45 PM

    Can someone help me get rid of the virus permanently?

    Thanks,
    Jason


  • 2.  RE: virus help

    Posted Aug 23, 2009 04:42 PM

    We had to run malwarebytes to remove the downloader, we also stopped autorun of usb devices and that got us cleaned up.

     



  • 3.  RE: virus help

    Posted Aug 23, 2009 05:36 PM
    This post:
    http://www.symantec.com/connect/forums/symantec-endpoint-xfer-folder-looping-getting-out-hand

    As stated in the post - it may be the indexing service.
    You can exclude the folder from scanning - that will get around the issue...

    Regards,

    Chris Bulovic
     


  • 4.  RE: virus help

    Posted Aug 24, 2009 04:24 AM
    was it a migration/upgrade  from SAV ?

    Try these steps

    1.) If the client computer is running Windows XP, disable "System Restore" as KB: http://www.symantec.com/security_response/writeup....

    2.) Restart the computer in Safe Mode

    3.) Stop SEP services
    "Symantec Endpoint Protection" from START -> RUN -> services.msc
    "Symantec Management client" with command START -> RUN -> smc -stop

    4.) Delete the folder "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer\"
    (in newer installations: "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\")

    5.) Delete all files .tmp in folder "c:\windows\temp\"

    Important: empty the recycle bin...

    6.) Restart SEP services (same as point 3 , except "smc -start")

    7.) Run a full-scan

    8.) Restart the computer in normal mode and if no new alerts of malware/virus detection are showed, enable "System Restore" as from step "1

    Tehnical explanation

    "The "xfer" and "xfer_temp" folders still store files scanned by AutoProtect transferred from migrations of legacy Symantec AntiVirus (SAV) installations".
    To be honest it seems that for some unexpected circumstances (for example a damaged file) SEP starts a loop where a file goes in quarantine (.vbn archives), then it is extract this file in a .tmp file to rescan it, it is again detected and quarantined, and so on...

    Offical Symantec KB on this issue

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009042217073548

    Try all the steps...it should resolve the issue.It worked for me before.