Endpoint Protection

Hello,
I'm running SEP 11.0.6000.550, and in the managment console It shows units still infected eith  a generic Trojan, all of which are in the c:\documetns and settings\user\local settings\temp and startt with DHW*.tmp.  If i go to the location of the files, they don't seem to exists.  I've read a few psots on the temp virus itself on here. but most users seem to actually see the files.  Are these fiels soemhow hidden? (note I do have show hidden files and system files on).  These are XP machines.

Cheers
JJ

You mentioned seeing the notification in the SEPM.  If they were detected at one time and resolved (deleted, quarantined, whatever), the "Still Infected" status will need to be manually cleared in the SEPM.

Title: 'How to clear an erroneous "Still Infected" status from Reports in the Symantec Endpoint Protection Manager'
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007111913145448

sandra

This issue should be fully resolved in 11.0.6 mp1 but this can change

Hi jamjen,

What is the "Action" which was taken on the file? If it was "Cleaned by deletion" or "Quarantined", then you should not see the file in the temp folder. You should consult the risk logs in order to find out the action which SEP took on the file.

EDIT:
As far as I know, the files, should they still exist, should not be hidden.

Also, try following the steps in the following document. It will most likely clear up the issue you are seeing with the .tmp file detections.

Title: 'Large amounts of temp files are being created in the xfer_tmp or 7.5/xfer folder and are being detected as threats.'
Document ID: 2009042217073548
> Web URL: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009042217073548?Open&seg=ent

Please let me know whether following the steps in the document above resolves the issue for you.

Regards,
James

Thanks for the replys.  "Action Taken" normally shows as "log only".  I'm taking a look at the supplied links and seeing if they turn anything up

CHeer
~JJ

Hi jamjen,

Hmmmm. Are the files being detected by Autoprotect scans? If so, there is an an option in SEP which is turned on by default for Autoprotect detections: "Delete newly created infected files if the action is 'Leave alone (log only)'". That may explain why you don't see them. Consult your risk logs to find out if these detections are coming from Autoprotect scans, manual scans, or scheduled scans.

You can configure this setting within the SEPM.

1. Login to the SEPM
2. Open up your Antivirus and Antispyware policy
3. Go to File System AutoProtect
4. Click Advanced Scanning and Monitoring
5. The option is on that screen

Also, try the steps in the document I linked you above and let me know whether that stops you from receiving these detections in the future.

Regards,
James

Hello James,

both KB links don't work for me are there new ones ?

I use RU6a.

Greets
Stephan

I just tried navigating to those links and they come right up.  Maybe give them another try.

sandra

Hello steppe,

I also tried the links. They worked fine for me. I recommend trying agan.

Regards,
James

Now they are working for me too.

Thanks.