Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Endpoint - 11.4000.2295 - XFER Tmp File Issue

  • 1.  Endpoint - 11.4000.2295 - XFER Tmp File Issue

    Posted Apr 01, 2009 12:01 PM

    We just completed a 500 PC upgrade from Endpoint MR2 to MR4 to correct some server issues.  The server is now running properly (had a database problem).

    We are now seeing a new problem on some of our PC's.  Basically, they start generating Quarantine messages RE: a file with a .TMP extension.  It seems that these .TMP files then multiple...i.e on a PC that I fixed this morning, it started with 9 items in Quarantine...after 2 hours, it had over 800.

    From looking at older versions of Symantec, these .TMP files seem to be generated by the Symantec program itself, and are therefore false positives.

    I have had 3 PC's in the past week start to do this.  The only fix I have found is to uninstall the program, delete the client from SEPM, and then re-install.

    I would really like to know:

    • Why this is happening??
    • Is Symantec aware of the issue??
    • More importantly, what is the fix (other then reinstalling)??
    We had been advised to go from MR2 to MR4 to improve the stabiliy of the server...which it has....but now I seem to have unstable clients.

    All client machines are Windows XP with SP2.  They are fully patched (Windows Update). 


  • 2.  RE: Endpoint - 11.4000.2295 - XFER Tmp File Issue

    Posted Apr 01, 2009 02:25 PM
    I have also noticed one MR4 client exhibit the .tmp file detection in the /xfer directory. It occured after a detection of Trojan.Adclicker. It appears the files were generated during a Full Scan.


  • 3.  RE: Endpoint - 11.4000.2295 - XFER Tmp File Issue

    Posted Apr 02, 2009 09:31 AM

    I have also noticed one MR4 client exhibit the .tmp file detection in the /xfer directory. It occured after a detection of Trojan.Adclicker. It appears the files were generated during a Full Scan.

    Ok...I am seeing another PC doing this (this is the 5th one).  I may need to open a call with Symantec Support. 

    I am seeing the same Trojan you mentioned, which seems to appear when the Weekly Scan is run.  It then generates the same file over and over again, alternating between a "Downloader" risk, and a "Trojan" risk. 

    Anyone from Symantec seen this issue??



  • 4.  RE: Endpoint - 11.4000.2295 - XFER Tmp File Issue

    Posted Apr 13, 2009 06:14 PM
    I have another client with the same problem now. Both were detections of the Trojan.Adclicker (the only two). I have them both at MR4 SP1. I'd hate to have to call in on this one. I'm going to try and reinstall to see what happens.

    -Wayne


  • 5.  RE: Endpoint - 11.4000.2295 - XFER Tmp File Issue

    Posted Apr 14, 2009 09:01 AM
    I'm having the same issues in the same exact way as everyone else. I am running MR4 and the affected clients are running Windows XP Pro.

    Please Symantec, shine some light on this or i'm just going to call support to get the answer.


  • 6.  RE: Endpoint - 11.4000.2295 - XFER Tmp File Issue

    Posted Apr 20, 2009 04:34 PM
    Symantec?  Any information on this?  I have a XP computer (SEP 11 MR4) that has had SEP delete over 5000 .tmp files from the xfer folder in the last few days.


  • 7.  RE: Endpoint - 11.4000.2295 - XFER Tmp File Issue

    Posted Apr 20, 2009 04:46 PM

    Still having the issue, it seems to be only affecting clients that were infected previously.


  • 8.  RE: Endpoint - 11.4000.2295 - XFER Tmp File Issue

    Posted Apr 20, 2009 04:51 PM
    I have seen this issue too.  One thought I just had was adding and exclusion for the xfer folder.   My understanding it that symantic is mistaking the def updates for a virusand excluding the folder might work around th issue.


  • 9.  RE: Endpoint - 11.4000.2295 - XFER Tmp File Issue

    Posted Apr 21, 2009 11:10 AM
    I have also facing the issue, please help somebody...


  • 10.  RE: Endpoint - 11.4000.2295 - XFER Tmp File Issue

    Posted Apr 21, 2009 11:14 AM
    As pewr my analysis it is activity of Trojan.Adclicker . You can configure the quarntine files to be delete after 57 days or simply delete those files.

    Not much idea apart from it. Please share if someone has the centralised solution for it.


  • 11.  RE: Endpoint - 11.4000.2295 - XFER Tmp File Issue

    Posted Apr 22, 2009 01:36 PM
    This only option I found that worked, was removing Symantec Endpoint from the client PC.  Upon reboot, navigate to Documents & Settings, All Users, Application Data, Symantec, and delete the Symantec Endpoint Folder.

    Restart the PC, and then re-install Endpoint.

    It is the Trojan.Adclick that causes the issues.  It also appears to be a problem if the client PC was upgraded from an older version, which was the case for all the machines have the issue at my location.

    I had 6 PC's in total that I had to this on, but since it occured, have not had one since.  I am guessing that Symantec did something with a later Virus Def file, to correct the problem??

    Other then that, no idea on why it happened, or why it suddenly stopped...just that it did.  However, for PC's that were already generating these false positives, the only solution was as mentioned above.


  • 12.  RE: Endpoint - 11.4000.2295 - XFER Tmp File Issue

    Posted Apr 22, 2009 01:50 PM
    Hi Ajitjha, I agee with your openion. It is the Adclick trojan that causing the problem. However, thanks Hutch for the solution. It would help a lot.


  • 13.  RE: Endpoint - 11.4000.2295 - XFER Tmp File Issue

    Posted Sep 29, 2009 04:08 PM
    We had the same problem. See this link
    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009042217073548