virus solution
Created: 27 Sep 2012 | Updated: 05 Oct 2012 | 15 comments
This issue has been solved. See solution.
Hi - Found a lot of virus file in our network. So any solution
Virus - Trojan.Gen.2
Discussion Filed Under:
Comments 15 Comments • Jump to latest comment
Below are some forum which can help you
https://www-secure.symantec.com/connect/forums/trojangen2-0
https://www-secure.symantec.com/connect/forums/trojangen2
https://www-secure.symantec.com/connect/forums/unable-fully-remove-trojangen2-sep
Commented by Technical Engineer in one forum hope that help you.
https://www-secure.symantec.com/connect/forums/unable-fully-remove-trojangen2-sep
This is a known issue with the older versions of Symantec Endpoint Protection version 11.x
Incase, if you are carrying an older version of SEP, it would be adviced to install the Latest version of SEP 11.0.7101 OR Migrate to the SEP 12.1.1000
Check this:
DWH***.tmp files are detected in the user profile temp directory
http://www.symantec.com/docs/TECH92399
When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect
http://www.symantec.com/docs/TECH102953
AND
Create a policy as suggested below:
Disable re-scanning of quarantine files.
From the SEP-Manager:
- Edit the Antivirus and Antispyware policy of affected clients.
- In the policy editor click "Quarantine" on the left-hand menu.
- On the general tab click "Do nothing" under the heading "When new Virus Definitions Arrive"
Also, to remove the DWxxxxxx.tmp, follow the steps as provided in the Article below:
https://www-secure.symantec.com/connect/articles/issue-related-low-disk-space
Hope that helps!!
Regards
Sumit G.
Best Practices for Troubleshooting Viruses on a Network
http://www.symantec.com/business/support/index?page=content&id=TECH122466
http://www.symantec.com/theme.jsp?themeid=stopping_malware&depthpath=0
http://www.symantec.com/business/support/index?page=content&id=TECH166816
How to use the Load Point Analysis within the Symantec Support Tool to help locate suspicious files
http://www.symantec.com/business/support/index?page=content&id=TECH141402
What was the action taken on them? Were they cleaned/deleted?
SEP Knowledge Base
Endpoint SWAT
I have deleted the file but still found new virus file on systems.
Hello
Where these files found?
Are quarantined?
Generally these files are derived from software
What is your security solution currently used?
hugs
Fabiano Pessoa
Systems Analyst - Forensic Expert
Hi,
What sep version are you using ?
Is your system infected? Symantec tools to help clear an infection
https://www-secure.symantec.com/connect/forums/your-system-infected-symantec-tools-help-clear-infection
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
Sep Version is 11.0.7
A lot of virus file found in different system, file has been quarantine but required permanent fix
Ensure that every system in your network is defended by a functioning, up-to-date SEP client. If you have even one undefended computer and it is infected, it can continuously attempt to infect all of the machines on the network. The SEPM has reports that show which clients are up-to-date, which have AV that is working, etc.
Use risk tracer to identify where the infections are coming from:
Also, ensure that autorun is disabled, network shares are password protected, and that a strong password policy is enforced throughout the organization.
Hope this helps!
With thanks and best regards,
Mick
Hi ikr_mak,
What Symantec product are you using to defend your network, and what componets? (AV and IPS and Firewall I hope- using traditional AV alone is fighting with one arm tied behind your back.)
Here are some recommendations which may help:
Please do keep this forum thread up-to-date with your progress!
With thanks and best regards,
Mick
Hello,
Could you please provide more insight on the files found as "Trojan.Gen.2 "?
Please provide us information like Name of the file, path of the file, Action Taken and probably upload us the risk log (if possible)
What Version of SEP 11.x are you running?
I agree with the Suggestion provided by Sumit and Mick.
Hope that helps!!
Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | MCTS | STS | ITIL v3
Twitter: @mithun_sanghavi
Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<&a
Hello
Trojan file found in user profiles which ahs been scanned and qurantine but in a big quantity
File name- *.tmp
Action Taken - Scanned and cleared
Path - C:\users profile
One sanpshot attached for the refference
Sep Ver- 11.0.7
If you are using 11.07(RU7 MP1)
then read the below comment
The issue of multiple DWH files being created and retained has been improved in SEP 11 Release Update 7 Maintenance Patch 2 (RU7 MP2) and SEP 12.1 RU1 MP1. Please see Migrating to Symantec Endpoint Protection 11.0.7200 (RU7 MP2) or Upgrading or migrating to Symantec Endpoint Protection 12.1.1101 (RU1 MP1) for details on how to apply this update
As per the attach suggestion we are going to upgrade the version with Endpoint Protection 11.0.7200 (RU7 MP2)
Hello,
Have check the Security Featured Thread
Generic Trojan - DWH*.tmp in Temp folder
https://www-secure.symantec.com/connect/forums/generic-trojan-dwhtmp-temp-folder
If such detections continue after deleting old .tmp files and updating to SEP 11 RU6a, see the following:
Stop the Symantec service
Symantec Endpoint Protection
Deleting the files
NOTE: The following instructions are to be done from the Command Prompt as attempting to perform the deletions from the Windows user interface may result in delays and application hangs due to the large amount of files that can reside in these locations. Please note that these instructions will delete the files in the targeted directories, not the directories themselves. Do not remove the directories themselves, only the contents of those directories.
Open the Command Prompt
Deleting files from User Temp folder
DEL /F /Q "C:\Documents and Settings\<NAMEOFUSER>\Local Settings\Temp"
DEL /F /Q "C:\Users\<NAMEOFUSER>\AppData\Local\Temp"
DEL /F /Q C:\temp
DEL /F /Q C:\WINDOWS\Temp
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp\"
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\"
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer_tmp\"
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer\"
The Quarantine Folder
NOTE: The following instructions are to be done from the Command Prompt as attempting to open the Quarantine folder in the Windows user interface may result in delays and Windows Explorer application hangs due to the large amount of files that can reside there.
Delete the Quarantine Folder
Type the following commands in the Command Prompt:
DEL /F /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
DEL /F /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"
RD /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"
Recreate the Quarantine Folder
Type the following command in Command Prompt:
MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
MD "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"
Start the Symantec service
From the SEP-Manager:
- Edit the Antivirus and Antispyware policy of affected clients.
- In the policy editor click "Quarantine" on the left-hand menu.
- On the general tab click "Do nothing" under the heading "When new Virus Definitions Arrive"
http://www.symantec.com/business/support/index?pag...
http://www.symantec.com/business/theme.jsp?themeid...
Thanks & Regards,
Nagesh Singh
Hello
I will try your attach step and will confirm.
Would you like to reply?
Login or Register to post your comment.