Endpoint Protection

 View Only
Expand all | Collapse all

Symantec Endpoint Protection

Migration User

Migration UserAug 23, 2010 02:39 PM

  • 1.  Symantec Endpoint Protection

    Posted Aug 20, 2010 08:12 AM

    Starting August 17th 8:22am. SEP is generating Risk Outbreak events on one particular server. This happens every hour, sometimes the interval is longer.

    Single Risk Event
    Risk name: Trojan Horse
    File path: C:\WINDOWS\Temp\DST3454.tmp

    I have used Filemon to make sure its these temporary files DST*.tmp are created and deleted by IIS. Not all DST*.tmp files are reported as Trojan Horse.
    The reported file is quarantined successfully every time.

    I have run full scan on the server few times, no risks found.

    Here's the filemon log.
    9:24:00 AM    inetinfo.exe:1676    OPEN    C:\WINDOWS\Temp\DSTB8C8.tmp    SUCCESS    Options: Open  Access: Read-Attributes    
    9:24:00 AM    inetinfo.exe:1676    QUERY INFORMATION    C:\WINDOWS\Temp\DSTB8C8.tmp    SUCCESS    FileStreamInformation    
    9:24:00 AM    Rtvscan.exe:180    QUERY INFORMATION    C:\windows\temp\dstb8c8.tmp    NOT FOUND    Attributes: Error    
    9:24:00 AM    Rtvscan.exe:180    QUERY INFORMATION    C:\windows\temp\dstb8c8.tmp    NOT FOUND    Attributes: Error    
    9:24:00 AM    Rtvscan.exe:180    QUERY INFORMATION    C:\windows\temp\dstb8c8.tmp    NOT FOUND    Attributes: Error    
    9:24:00 AM    Rtvscan.exe:180    QUERY INFORMATION    C:\windows\temp\dstb8c8.tmp    NOT FOUND    Attributes: Error    
    9:24:00 AM    Rtvscan.exe:180    QUERY INFORMATION    C:\windows\temp\dstb8c8.tmp    NOT FOUND    Attributes: Error    
    9:24:00 AM    Rtvscan.exe:180    OPEN    C:\windows\temp\dstb8c8.tmp    NOT FOUND    Options: Open  Access: 00100080    
    9:24:00 AM    Rtvscan.exe:180    QUERY INFORMATION    C:\windows\temp\dstb8c8.tmp    NOT FOUND    Attributes: Error    
    9:24:00 AM    Rtvscan.exe:180    QUERY INFORMATION    C:\windows\temp\dstb8c8.tmp    NOT FOUND    Attributes: Error    
    9:24:00 AM    Rtvscan.exe:180    OPEN    C:\windows\temp\dstb8c8.tmp    NOT FOUND    Options: Open  Access: 00100080    
    9:24:10 AM    Rtvscan.exe:180    QUERY INFORMATION    C:\WINDOWS\Temp\DSTB8C8.tmp    NOT FOUND    Attributes: Error    


    Any guidance appreciated.


  • 2.  RE: Symantec Endpoint Protection

    Posted Aug 20, 2010 09:51 AM

    It sounds similar to an issue RU6 MP1 fixes:

    DWHxxxx.tmp files are scanned and re-detected when new definitions arrive or during a scheduled scan
    Fix ID: 1925607
    Symptom: DWHxxxx.tmp files are scanned and re-detected when new definitions arrive or during a scheduled scan.
    Solution: After extracting a quarantined item to a temp file, the file is deleted immediately after it is processed.

    Not sure if upgrading will help or not but it could be worth a try.

    You also check the quarantine folder and delete all files in there. You will need to give yourself full rights on the quarantine folder first though, as it deny by default.


  • 3.  RE: Symantec Endpoint Protection

    Posted Aug 20, 2010 09:55 AM

    Brian,

    Thanks for quick response.

    I have looked at that issue. disabled rescanning the qurantine on when new definitions arrive. Deleted all quarantined files.

    Out of 26 servers scanned by endpoint, this happens on only one server.


  • 4.  RE: Symantec Endpoint Protection

    Posted Aug 20, 2010 10:26 AM

    Did you check to see if there was anything in the quarantine folder?

    I've had issues where some clients continuously flag items in quarantine as malicious. Even though this was supposedly fixed, it still happened.


  • 5.  RE: Symantec Endpoint Protection

    Posted Aug 20, 2010 11:04 AM
    I think that DST *. tmp files created Exchange server.
    http://support.microsoft.com/kb/899392


  • 6.  RE: Symantec Endpoint Protection

    Posted Aug 20, 2010 03:23 PM
    Quarantine is already cleaned up. Same issue keeps recurring.


  • 7.  RE: Symantec Endpoint Protection

    Posted Aug 20, 2010 03:24 PM

    The filemon log I posted indicates that the DST*.tmp files are created by inetinfo.exe process. IIS is running on that server. Exchange is not installed on that server.


  • 8.  RE: Symantec Endpoint Protection

    Posted Aug 22, 2010 12:56 AM
     Could you  please  post the  risk logs from SEP? Kindly submit a few dst files to the security response team..and open a ticket with technical support........


  • 9.  RE: Symantec Endpoint Protection

    Posted Aug 22, 2010 07:39 AM
    seeing the exact same issue, any updates
    running build 11.0.6005.562


  • 10.  RE: Symantec Endpoint Protection

    Posted Aug 22, 2010 07:47 AM
    @wits1.........Please  go to View  logs-and  click options  for antivuirus and  antispyware  protection, and  see  risk logs. Do you see the entry for dstXXX.tmp files detected? If yes, then, what's the action taken??? . and is detected by  what?


  • 11.  RE: Symantec Endpoint Protection

    Posted Aug 22, 2010 09:58 AM
    If its a file generated by Windows ( IIS ) then it would not be detected as a threat..
    Make sure you empty your %temp% and C:\Windows\Temp
    It might be a similar file generated by some other source..

    However a possibility of false positive cannot be ruled out...run a full scan on the server with updated definitions.


  • 12.  RE: Symantec Endpoint Protection

    Posted Aug 22, 2010 08:58 PM
    I am having the same problem on a Windows 2003 server running Exchange 2003.

    Our SEP version is 11.0.5002.333.

    We have an existing case# for this: 412646252

    After downloading Symantec Rapid Release defs, I ran a full SEP scan in safe mode a few hours ago. No problems were found.

    DST files are being created and quarantined at a rate of 2 to 10 files per hour.

    I submitted to Symantec, a few sample DST files, two or three days ago.

    If you find a solution, please let me know.



  • 13.  RE: Symantec Endpoint Protection

    Posted Aug 22, 2010 11:01 PM
    @Andrew@LCG:

    First  of all thank you  for submitting the  files....also you could  go for installing  ru6 mp1...


  • 14.  RE: Symantec Endpoint Protection

    Posted Aug 23, 2010 06:21 AM
    Stop the running application service and scan full system then check it up..


  • 15.  RE: Symantec Endpoint Protection

    Posted Aug 23, 2010 09:11 AM
    Vishal, you recommended that I try installing RU6 mp1.

    Wits1 above is having the DST temp files problem with version 11.0.6005.562.

    Isn't that the same as version RU6 mp1?

    Unless you are fairly certain that updating our SEP version will fix the problem, I'm hesitant to apply it to our problem server because it will probably require a reboot and downtime for Exchange. That server is used for Email by about 45 people and I would like to avoid having them go without their email for a while.

     


  • 16.  RE: Symantec Endpoint Protection

    Posted Aug 23, 2010 09:26 AM
     
     Maheshroja,

    I see an "Application Experience Lookup" service that is running.

    Is that the application service you are referring to?

    There are two other "application" services:
               1) "Application Layer Gateway Service" and
               2) "Application Management Service"

    Neither of those two services are running.


  • 17.  RE: Symantec Endpoint Protection

    Posted Aug 23, 2010 09:32 AM
    Hi Andrew@LCG,

    RU6 MP1 is  11.0.6100.XX . 11.0.6005,XX is  ru6 a version.

    looks  like  it is a new  issue, not  known to us, hence  we  are not sure, whether  it would be  resolved in ru6 mp1 or  not.. But, if you still face issue, with ru6 mp1, then the case could  be  investigated further, as a possible defect....



  • 18.  RE: Symantec Endpoint Protection

    Posted Aug 23, 2010 09:47 AM
    Norton Internet Security 17.7.0.12

    Boot up scanning stinks.

    How do I disable it.

    If I can't, I will uninstall NAV and get some other product.


  • 19.  RE: Symantec Endpoint Protection

    Posted Aug 23, 2010 09:58 AM
    Hi MajesticJess

    more  information regardig  what exactly is  happening  would  be required...Also, could you  please  start a new  thread  for discussion on this  on Norton forums please?
    http://community.norton.com/t5/Norton-Internet-Security-Norton/bd-p/nis_feedback

    Thank you for your understanding...


  • 20.  RE: Symantec Endpoint Protection

    Posted Aug 23, 2010 10:28 AM
    If we upgrade from 11.0.5002 to 11.0.6100, we will almost certainly need to restart our server, right?

    Andrew


  • 21.  RE: Symantec Endpoint Protection

    Posted Aug 23, 2010 12:22 PM
    Hi Andrew@LCG

      You cannot  upgrade  staright  from 11.0.5002 to 11.0.6100, forst  you need to upgrade   to 11.0.6005, and   then to 11.0.6100...


  • 22.  RE: Symantec Endpoint Protection

    Posted Aug 23, 2010 01:03 PM
    Vishal,

    This web page says that I can upgrade directly from 11.0.5002.333 to 11.0.6 (RU6):
    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010041310404248

    That is wrong?
    .
    .
    .
    Where can I get the files for the upgrade?

    Thanks for your help.

    Andrew


  • 23.  RE: Symantec Endpoint Protection

    Posted Aug 23, 2010 01:13 PM
    You can upgrade from 11.0.5000 to 11.0.6000 directly

    however you SHOULD not upgrade directly from 11.0.5 to 11.0.6100

    you can get the files from https://fileconnect.symantec.com


  • 24.  RE: Symantec Endpoint Protection

    Posted Aug 23, 2010 01:15 PM
     


  • 25.  RE: Symantec Endpoint Protection

    Posted Aug 23, 2010 01:23 PM
    Vishal,

    That's a bit confusing, but from what you said, all I need to know is that I should upgrade in two separate steps:
          1) upgrade first to 11.0.6005
          2) next, upgrade to 11.0.6100

    I'll do that.

    Thanks


  • 26.  RE: Symantec Endpoint Protection

    Posted Aug 23, 2010 01:35 PM
    I browsed to the fileconnect.symantec.com site, typed in my serial number, and all I could see was an International English upgrade to 11.0.6 MP1.

    How do I get to the other versions?

    Andrew


  • 27.  RE: Symantec Endpoint Protection

    Posted Aug 23, 2010 01:44 PM
    Both the download RU6_MP1 and RU6 should be available on fileconnect.symantec.com


  • 28.  RE: Symantec Endpoint Protection

    Posted Aug 23, 2010 01:47 PM
    Hi Andrew@LCG,

    Yes, you should upgrade in parts, as you mentioned...


  • 29.  RE: Symantec Endpoint Protection

    Posted Aug 23, 2010 02:32 PM
    Vikram,

    I see 11.0.6A and 11.0.6MP1.

    So, I should install 11.0.6A and then 11.0.6MP1, right?

    Andrew


  • 30.  RE: Symantec Endpoint Protection

    Posted Aug 23, 2010 02:39 PM
    That is correct.


  • 31.  RE: Symantec Endpoint Protection

    Posted Aug 23, 2010 02:56 PM
    Click International English so that you will be directed to the file selection page for you to download 11.0.6 and 11.0.6 MP1.


  • 32.  RE: Symantec Endpoint Protection

    Posted Aug 23, 2010 07:36 PM
    set to delete; detected by auto-prtotec scan


  • 33.  RE: Symantec Endpoint Protection

    Posted Aug 23, 2010 11:10 PM
    I also have experienced exactly the same issue as what has been described as above ours started on 17/08/2010 @7.55am, running Server 2003, with 11.5002 SEP, every 10 to 20 minutes DSTxxx.tmp files are being reported as the followning, I have started downloading 11.0.6A and 11.0.6MP1 but wanted to enquire has anyone had a fix yet, do we know why this happening?  Is this a SEP issue?  Appreciate any help, thank you.

    Security Risk Found!Trojan Horse in File: C:\WINDOWS\Temp\DSTC2F.tmp by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully




  • 34.  RE: Symantec Endpoint Protection

    Posted Aug 24, 2010 04:10 AM
    Hi rustus,

    It  could  be  a sep  issue...at this point  we are not  sure..as their  is  no known issue ...request you  to please  upgrade  to ru6 mp1, and  see  if you  continue  getting  these.

    If you  do, then you  may  have to submit a few files to security  response, and  open a ticket  for further  analysis, with technical support...
    But  first , pleas  upgrade.

    Note that, upgrade  path is ru5-ru6a-ru6 mp1.

    So first   you  upgrade the  sep  client to ru6a, and then to ru6 mp1.You

      can download  these  from https://fileconnect.symantec.com


  • 35.  RE: Symantec Endpoint Protection

    Posted Aug 24, 2010 07:55 AM

    These files are created by IIS as the filemon log shows at the top. I have run a full scan on the server several times, SEP doesn't find anything. I have several other servers running the same version of definitions, SEP.

    This seems like a conflict between SEP and IIS trying to access the DST*.tmp file at the same time on certain files. This does not occur with every single DST*.tmp file, but happens frequently enough to generate a flurry of alerts.

    I have submitted several .tmp files quite a few times to SEP.

    The only option seems to be to try the upgrade path and see if this goes away.

    I will update with results when I get the upgrade done over the weekend.


  • 36.  RE: Symantec Endpoint Protection

    Posted Aug 24, 2010 06:06 PM
    Same problem. Tried setting Purge options to "Delete in one day" while waiting for someone to report if the upgrade works. I can think of better ways to spend a week-end!


  • 37.  RE: Symantec Endpoint Protection

    Posted Aug 25, 2010 03:20 AM
    no man,

    it doesn't need to reboot the computer/server on which the SEPM is installed, not even the SQL Server is restarted :-) which is good, so the upgrade can be done during the business hours.


  • 38.  RE: Symantec Endpoint Protection

    Posted Aug 26, 2010 02:04 AM

    If you are running MS Exchange , Exchange may create a temporary file that named "Dst*.tmp" in the temporary directory when remote domains do not support the bdat command. And since the content of DST*.tmp is bad, our Autoprotect then act upon it.

    Please check if there are issues in your Exchange server and also see the content of the tmp file to see the sender address as that machine[s] might be infected with a mass mailer worm.

    ref : http://support.microsoft.com/kb/899392



  • 39.  RE: Symantec Endpoint Protection

    Posted Aug 26, 2010 09:37 AM
    BNH, you are thinking Exchange might be a contributor/cause.

    However, Farhan009 has a server with this DST temp problem and Exchange is NOT on that server.

    In my case, the problem server IS running Exchange, but I'm not seeing any items in the log with a 4000 Event ID as the Microsoft Knowledgebase article indicates.

    Andrew


  • 40.  RE: Symantec Endpoint Protection

    Posted Aug 26, 2010 11:49 AM
    Ok, the issue has been resolved by doing nothing at all.

    The alerts stopped on August 24, 9:52am.
    Here's the log for that.
    Event,Computer Name,Source,Risk Name,Occurrences,File Path,Description,Actual Action,Requested Action,Secondary Action,Event Date,Event Insert Time,Domain,User Name,Server,Client Group,Source Computer Name,Source Computer IP,Event End Date,Timestamp,Deleted
    Virus found,client_server,Auto-Protect scan,Trojan Horse,1,C:\WINDOWS\Temp\DST7580.tmp,"",Quarantined,Cleaned,Quarantined,08/24/2010 09:56:02,08/24/2010 10:01:08,Default,SYSTEM,antivirus_server,My Company\SERVER\Servers - 32 Bit,,0.0.0.0,08/24/2010 09:56:02,08/24/2010 10:01:08,0

    Most likely case could be definition updates. I did submit quite a few samples to Symantec.

    Holding off on the upgrade for a bit later.

    Thanks for all the suggestions. Great community here.




  • 41.  RE: Symantec Endpoint Protection

    Posted Aug 26, 2010 01:05 PM
    Farhan009,

    When I saw your post, I immediately went to look at our server's SEP risk log to see if the problem had stopped.

    After sorting the log, I noticed that there were no entries at all after 11:00 AM on Aug 25'Th. I thought hooray, it's fixed itself!

    Then I looked at the Quarantine (instead of the risk log) and noticed some DST files had gotten quarantined today (Aug. 26'Th) within the past hour. I went back and looked at the risk log again and waited a minute. The log then showed that the DST files were still being quarantined.

    Farahan009, on the very outside chance that you didn't see all of the log entries, would you mind taking a look at your logs one more time? Can you also look at the quarantine too?

    Is the DST problem really fixed on your server? If it is, what is the date/version of your definition files?

    Thanks for helping and taking the time to post your findings.

    Andrew


  • 42.  RE: Symantec Endpoint Protection

    Posted Aug 26, 2010 01:14 PM

    Andrew@LCG,

    I just checked the logs and the qurantine.

    I can confirm that there have been no new risks identified or DST*.tmp files qurantined after August 24, 2010. 9:56am.

    Antivirus definitions installed are : Thursday, August 26 2010 rev. 002.


  • 43.  RE: Symantec Endpoint Protection

    Posted Aug 26, 2010 01:25 PM
    Farhan009,

    Excellent! :)

    I'm glad the problem is fixed for you.

    We are using the same version of virus defs that you have.

    I made a mistake in my last post. It's been 3 hours (not 1 hour) since a DST file has been quarantined on our server.

    So, I'm still hoping that the problem is fixed for us too. I'll check our quarantine again later.

    Andrew


  • 44.  RE: Symantec Endpoint Protection

    Posted Aug 27, 2010 07:54 AM
    Problem seems to be fixed.

    No files have been quarantined since yesterday morning.

    Andrew


  • 45.  RE: Symantec Endpoint Protection

    Posted Aug 27, 2010 10:58 PM
    Glad the issue is now resolved.
    We manage to track down what the issue thru a customer support case.

    The reasoning is due to their Exchange 2k3  throwing out undelivered mail in %temp%\DST*.tmp file [you can try to open the DST*.tmp file using notepad as see what's inside]

    The undelivered mail is a spam email which contain a malicious URL which our threat analyst flagged as a Trojan Horse back in 16 August 2010.

    Thanks to everyone's report here the issue is fixed after 26 August 2010 rev 054 definition update.yes





  • 46.  RE: Symantec Endpoint Protection

    Posted Sep 01, 2010 10:17 AM
    BNH,

    Faran009 said he had that DST temp files problem, yet the problem server was NOT running Exchange.

    Can you explain that?

    Andrew


  • 47.  RE: Symantec Endpoint Protection

    Posted Sep 01, 2010 06:59 PM
    Hi Andrew@LCG ,

    If Faran009 can identify what generated those file, then we'll have our answer.
    So far according to a quick Google search, those DST*.tmp file are normally generated by Exchange 2000 / 2003 when there is undelivered mail.

    Our AV does not generate DST*.tmp files [we generate DWH*.tmp and AP*.tmp for sure] but not DST* .






  • 48.  RE: Symantec Endpoint Protection

    Posted Nov 26, 2010 11:51 PM

    OK, I suppose that this problem has been fixed already right ?

    I am using SEP 1 MR6 MP1 and so far has been good.