Endpoint Protection

I have a few systems that are generating hundreds of random *.qsp files in the C:\Windows\Temp directory.  These fiels are being blocked by SEP (v.11 RU6 MP3), but not quarantined. I'm unable to delete them as they are all in use/access denied.  It's been several days and SEP still hasn't been able to detect and/or kill whatever is generating these files.

I need to determine what file or process is generating these files. The system is remote, so my options are limited.  Remote process explorer doesn't reflect any unusual files, but something is locking the .qsp files, I just can't tell what.  I understand malware remediation, so please don't tell me how to clean the system.

Any suggestions on (remote) tools and/or processes to determine what is generating and/or locking these files?

Thanks for any help.

What is SEP is blocking it and what is it being blocked as ?

Install Unlocker utility(its a free program) to find what is using the file or where these files are hooked to.

Log on in safe mode to delete the files. Use a program like combofix to get to the root of the problem.

SEP detects it as a generic 'Backdoor.Trojan'.

Unfortunately, Unlocker does not appear to work remotely.  It gives a "no locking handle found" error even though the file is locked. Thanks for the suggestion, though.

The system is remote, hence the need for a remote solution as I mentioned. That rules out Safe Mode.

I can run any number of programs (besides SEP since it obviously isn't working) to eradicate the malware.  However, because it isn't being detected I don't want to just remove it, I want to determine what it is and where it is so I can address it (again, since SEP isn't able to remediate).

I use combofix to isolate the files and then submit them to Symantec for further inspection.

Try running Norton Power Eraser (with rootkit scanning mode)

Again, I need a tool that can be run remotely. Both Combofix and Norton Power Eraser can only scan the system it is installed on, not a remote system.

Here's a picture.  I'm on Computer A.  Computer B is in another part or the world.  I need to analyze computer B from Comuter A. I cannot physically sit down at computer B and I do not have console access to Computer B.

Most of my access is via command prompt. PSList, for example, doesn't show any odd processes. I also used Remote Process Explorer (nice tool), which shows more detailed view of processes, but still nothing appears odd or out of place.

Anyone know of any command line tools that can show what file/process is locking another file?

I can be because of Corrupt SEP.

https://www-secure.symantec.com/connect/forums/why-it-so-difficult-get-rid-ofwork-qsp-files#comment-5257001

Try running this tool

https://www-secure.symantec.com/connect/downloads/squash-symtmps-mikes-tool-set

Also Disable fowarding new threats to a quarantine server on AntiVirus and AntiSpyware policy.

Hello,

Please check this Thread:

https://www-secure.symantec.com/connect/forums/why-it-so-difficult-get-rid-ofwork-qsp-files

https://www-secure.symantec.com/connect/forums/some-qsp-file-generating-pc

Hope that helps!!

Hi,

I am encountering the same issue with SEP 12.1

Why are qsp & tmp files being created in C:\Windows\Temp folder? It causes the C drive to be disk full.

Is there any setting whereby I need to change in SEPM 12.1?

Is that happening on one client or multiple clients ?