SCSP Agent reports many "Watched File Modified"/"Watched File Deleted" alerts whereas these files are still present/untouched on the machine

Article:TECH185165  |  Created: 2012-03-29  |  Updated: 2013-03-26  |  Article URL http://www.symantec.com/docs/TECH185165
Article Type
Technical Solution


Environment

Issue



SCSP Agent reports many "Watched File Modified"/"Watched File Deleted" alerts whereas these files are still present/untouched on the machine.

These events always appear at the same time of the day, while Symantec Endpoint Protection (SEP) client is running Full system scan. Only files with read-only attribute seem to be impacted.

 


Error



SISIDSEvents.csv shows rtvscan.exe (SEP) is causing these changes:

2012-03-05 16:56:17.000,MonitoredFile_Modification,Critical_File_Modified,C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe,R,c:\windows\system32\cdfhelper.dll,M
2012-03-05 16:56:37.000,MonitoredFile_Modification,Critical_File_Modified,C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe,R,c:\windows\system32\drivers\vmci.sys,M
2012-03-05 16:56:37.000,MonitoredFile_Modification,Critical_File_Modified,C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe,R,c:\windows\system32\drivers\vmmouse.sys,M
2012-03-05 16:56:37.000,MonitoredFile_Modification,Critical_File_Modified,C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe,R,c:\windows\system32\drivers\vmx_svga.sys,M

 


Environment



SCSP 5.2.8 Agent and SEP MR4 client on Windows OS.

 


Cause



Known defect in SEP MR4, which is causing USN of read-only files to be modified during a scan:

Scanning a Read-Only file changed the file's Update Sequence Number (USN) in Windows Change Journal
Fix ID
: 1870333
Symptom: Backup software which relies on USN might believe the Read-Only file had been modified by the scan, and an unnecessary backup of the unchanged file could be initiated
Solution: The fix prevents USN updates by modifying the Read-Only attribute code to only run when threats are detected in a container and modifications to repair or delete are requested
 
This is fixed in RU6 (source: Release Notes - http://www.symantec.com/docs/TECH103087).
 

SCSP Agent is detecting this type of changes, therefore it is reporting misleading information to SCSP Server.

 


Solution



Upgrade SEP client to 11.0 RU6 or newer.

 





Article URL http://www.symantec.com/docs/TECH185165


Terms of use for this information are found in Legal Notices