Endpoint Protection

I'm curious as to what is going on here, and desperately need a solution before it spirals out of control.

We've been running MP4 MP1 just fine the past couple of weeks, deployed to around 300 clients and several management servers. Within the past week wey updated all of the servers to MP4 MP2, installation went fine.

Here's an idea of how we have it setup. We have several management servers (one per location) and then a "central" management server that recieves a log replication from each management server so that it has a centralized reporting component.  Each week we have a full scan that runs Wednesday night to take care of anything the active scans miss during the week.

Up until now it has been fine. However, evidently last night something went buggy and now every machine running Symantec is detecting a trojan horse in the "xfer" directory, or more specifically the "C:\Documents and Settings\All Users\ Application Data\Symantec\Symantec Endpoint Protection\xfer" folder. It quarantines it, detects it, quarantines it, all in an endless cycle, or so it seems. A total of 12000 instances were reported across our company last night through our reporting component.

I've read through a few threads on the issue and other people seem to be experiencing it and have no real solution to the issue. Our problem is that it's really not feasible to uninstall and reinstall every client from scratch at this point. According to others this was a known bug a year ago, but was supposed to be fixed within the last MR.

Any ideas?

 This also happens due to corrupt definitons distributed to SEP clients from SEPM.
So you can revert to a previous definition on which you were not having this problem and then update it to the latest definition set.

You might be referring to this KB

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009042217073548

Removal procedure from Giuseppe

Removal Procedure

1.) If the client computer is running Windows XP, disable "System Restore" as
KB: http://www.symantec.com/security_response/writeup....

2.) Restart the computer in Safe Mode

3.) Stop SEP services
"Symantec Endpoint Protection" from START -> RUN -> services.msc
"Symantec Management client" with command START -> RUN -> smc -stop

4.) Delete the folder "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer\"
(in newer installations: "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\")

5.) Delete all files .tmp in folder "c:\windows\temp\"

Important: empty the recycle bin...

6.) Restart SEP services (same as point 3 , except "smc -start")

7.) Run a full-scan

8.) Restart the computer in normal mode and if no new alerts of malware/virus detection are showed, enable "System Restore" as from step "1"

 Well if thats the case you can use the SymDelTmps tool.Call support and get this tool.
The "SymDelTmps" utility is designed to search for and delete "LiveUpdate" temp files and "zero byte.dax" file

Thanks, I did something similar on my own, but in a more butcher type way (navigated to the folder and emptied both it and the quarantine). It's not a lot of machines, just  a select group of them.

It doesn't seem to be causing problems except for disk space and the nuisance factor. We turn our computers off at night, then on in the morning. Is the temporary folder is emptied by Norton at any point in the startup or shutdown process?

I might just wait until the morning to see what happens. Thanks for the suggestions.