Endpoint Protection

We are running SEP in the org. Currently 2 pc are detecting a trojan horse (it don't give more info), just that trojan horse detected and it's quaranined. I did all the necessary things to find this trojan but there still seems to ba a poblem. The quarantine seems very full and I keep getting thousands of notice everyday. I try to empty the quarantine but the computer locks up.  The computer is very slow, I ran avenger and stinger but nothing can be found, yet the quarantine is very full.
Thanks for any help

Hi Googly,

You try to boot the machine in safe mode & all delete the content from the qurantine..  If you are still getting the problem then the best and the easy way is to un-install the client & delete the qurantine folder.. & re-install the client.

May also refer to the link below.

https://www-secure.symantec.com/connect/forums/can-i-delete-files-quarantine-folder

I am reluctant to delete the client. Want to solve it the proper way just incase it happen again. Don't want the solution to be reinstall.
Thanks

Hi,
  
      Please check this link and see whether it helps.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008110308522048

To specify a local quarantine directory:

1 On the Antivirus and Antispyware Policy page, click Quarantine.

2 On the Miscellaneous tab, under Local Quarantine Options, click Specify Quarantine Directory.

3 In the text box, type the name of a local directory on the client computers. You can use path expansion by using the percent sign when typing in the path. For example, you can type %COMMON_APPDATA%, but relative paths are not allowed.

4 If you are finished with the configuration for this policy, click OK.

Configuring automatic clean-up options:

When the client software scans a suspicious file, it places the file in the local Quarantine folder on the infected computer. The Quarantine clean-up feature automatically deletes the files in the Quarantine when they exceed a specified age. The Quarantine clean-up feature automatically deletes the files in the Quarantine when the directory where they are stored reaches a certain size.

You can configure these options using the Antivirus and Antispyware Policy. You can individually configure the number of days to keep repaired, backup, and quarantined files. You can also set the maximum directory size that is allowed before files are automatically removed from the client computer.

You can use one of the settings, or you can use both together. If you set both types of limits, then all files older than the time you have set are purged first. If the size of the directory still exceeds the size limit that you  set, then the oldest files are deleted one by one. The files are deleted until the directory size falls below the limit. By default, these options are not enabled.

To configure automatic clean-up options:

1 On the Antivirus and Antispyware Policy page, click Quarantine.

2 On the Cleanup tab, under Repaired files, check or uncheck Enable automatic deleting of repaired files.

3 In the Delete after box, type a value or click an arrow to select the time interval in days.

4 Check Delete oldest files to fit directory size limit, and then type in the maximum directory size, in megabytes. The default setting is 50 MB.

5 Under Backup files, check or uncheck Enable automatic delete of backup files.

6 In the Delete after box, type or click an arrow to select the time interval in days.

7 Check Delete oldest files to fit directory size limit, and then type the maximum directory size, in megabytes. The default is 50 MB.

8 Under Quarantined Files, check or uncheck Enable automatic deleting of quarantined files that could not be repaired.

9 In the Delete after box, type a value or click an arrow to select the time interval in days.

10 Check Delete oldest files to fit directory size limit, and then type in the maximum directory size, in megabytes. The default is 50 MB.

11 If you are finished with the configuration for this policy, click OK.

I did everything as mentioned. I removed SEP  client fromthe machine, got rid of the qurantine folder, reinstall SEP client, now the quarantine is starting to full up again, the computer is becoming unresponsive because of this.  Like I said I ran everything I know of to remove the trojan but no trojan detected, yet SEP scanning and outo protect is detecting something by the second.

Still having the issue.. Any more help??
On one machine I got 8200 notifications and on the other I got 12000.

 For File System auto-Protect first action make it clean risk
Second action Delete risk

This will give you time to troubleshoot on this computer.
Dowload rapidrelease definitions from symantec website update the client
Start the computer in safe mode (without networking)and run a full scan.

Did that Vikram.
I did all of that VIkram except the auto protect option. How can I make autoprotect and scanning to check the quarantine folder, seems to me like scan is scanning the quarantine folder and thus creating all this notifications, I really can't tell if this is true because everytime I try to check the log files the computer locks up.

I was able to get to the log files and the original location of the trojan is c:\documents and Settings\allusers\applicationdata\symantec\SRTSP\quarantine.
Is this folder necessary to be scaned and autoprotect? How can I exclude this folder?

 open SEP GUI -change settings-antivirus and Antispyware- File System Auto-Protect-Action- First Action -Clean
Second option- Delete

 Do you have any other antivirus or antispyware software installed if yes then remove that..this issue can be also due to Corrupt defintion.
Remove SEP
Delete all the folders
c:\program files\Common files\Symantec shared
c:\program files\Symantec
c:\docs n settings\all users\app data\symantec

delete all temp files from
start run %temp% and c:\windows\temp
reboot your computer
then re-install SEP

Thanks Vikram, I will accept that as my solution.

For my organization, we had a support case open regarding this exact same problem where SEP was quarantining its own TMP files thereby wreaking havoc on a few client machines due to:

Local HDD running out of space
Quarantine folder ending up with 10's of thousands of folders/files
Excessive Disk IO causing the PC to slow a crawl

So far, SEP-RU5 seems to have addressed the problem on all of our PC's afflicted with this problem provided I followed these specific steps when upgrading:
Uninstall Symantec Endpoint 
deleted the folder-  "%allusersprofile%\application data\symantec"
Reboot
Install SEP RU5