Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Virus Alerts in Temporary Internet Files Folder Windows 7

  • 1.  Virus Alerts in Temporary Internet Files Folder Windows 7

    Posted Mar 02, 2011 07:52 PM

    Today I have recieved lots of alerts from SEP clients about Viruses being in C:\Users\userabc\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Conitent.IE5\

    It seems that these computers are randomly being flagges as having a virus and SEP is deleting the .htm file in question. Is this a false positive due to new definitions perhaps? Has anyone else seen this behavior?

    Thanks.

     



  • 2.  RE: Virus Alerts in Temporary Internet Files Folder Windows 7

    Broadcom Employee
    Posted Mar 02, 2011 09:55 PM

    what was the threat and the filename?



  • 3.  RE: Virus Alerts in Temporary Internet Files Folder Windows 7

    Broadcom Employee
    Posted Mar 03, 2011 05:16 AM

    Hi,

    By default, when the Symantec Endpoint Protection client receives a new set of definitions, it performs a Defwatch Scan. A Defwatch Scan is a scan of all the items which have been placed in Quarantine by Symantec Endpoint Protection. The purpose for this scan is that a newer set of definitions can sometimes clean an infected file (thus returning it to a non-infected state) which previous definitions could only detect. When a Defwatch Scan is performed, the .tmp files are created when the Quarantined threats are scanned. If everything works as designed, these files should be deleted immediately after the scan completes, however, in some circumstances, these files are not deleted and are instead detected by Symantec Endpoint Protection as threats.

    In certain circumstances, Auto-Protect or scheduled scans may detect previously quarantined files (DWH*.tmp) in the %temp% folder on Windows Vista, Windows 7, or later.

    This issue (DWH*.tmp ) has been resolved in SEP11 RU6 MP1 and later versions.
     
    OR 
     
    Remove all instances of the .tmp files
    • Stop the Symantec Management Client service
    • Delete the contents of the temporary folders and the Quarantine folder
    • Delete and then recreate the Quarantine folder
    • Restart the Symantec Management Client service
    Detailed Steps:

    Stop the Symantec Management Client service
    • Click Start, then Run
    • Type: smc -stop
    • Click OK
    Open the Command Prompt
    • Click Start
    • Click All Programs
    • Click Accessories
    • Right-click Command Prompt
    • Click Run as administrator
    • Click Yes or enter your password

    Delete the contents of the User’s Temporary Folder
    • Login as the user who is receiving the .tmp file detections
    • From the Command Prompt, type in:
    • del /F /Q %temp%
    Delete the contents of the Windows Temporary Folder
    • From the Command Prompt, type in:
    • del /F /Q “C:\Windows\Temp”

    Delete the contents of the “xfer” and “xfer_tmp” Folders
    • From the Command Prompt, type in:
    • del /F /Q “C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer”
    • del /F /Q “C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer_tmp”
    Delete the Quarantine Folder
    • From the Command Prompt, type in:
    • del /F /S /Q “C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine”
    • rd /S /Q “C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine”
    Recreate the Quarantine Folder
    • From the Command Prompt, type in:
    • md “C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine”
    Symantec Endpoint Protection
    • Click Start, then Run
    • Type: smc -start
    • Click OK


  • 4.  RE: Virus Alerts in Temporary Internet Files Folder Windows 7
    Best Answer

    Trusted Advisor
    Posted Mar 03, 2011 06:11 AM

    Hello,

    Well, it doesn't seem to be a False Positive!!

    However, Please let us know the following:

    1) Filename and the Name of the Threat Symantec is detecting it as.

    2) Is this happening on all machines or only on 1 machine?

     

     

    Here are few Suggestions and it Really works...

    1) Make sure all the Microsoft Security Patches & Service Pack updates are in Place.

    2) Use Symantec Support Tool.

    Check the steps on how to Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

    To explain the entire procedure, please follow the steps below:
     
    1) Download the Symantec Endpoint Protection Support Tool from
     
     
    2) To generate this data for Technical Support, please follow the steps below:
     
                a. Open the utility, and accept the license agreement.
                b. Place a check mark next to each category that is relevant to your issue, and then click Next.
                c. After the utility has finished collecting data, click Collect full data for support.
     
     
    This data is saved by default to the root of drive C,with a filename in the following format :
    "<computer name>_<date>_<time>_full.sdbz" 

    Submit this report to your Technical Support agent, and attach the .sdbz file to the email he /she has send to you from above as a file attachment. 

    This will automatically attach the report file to your case. 
     
     
    3) While Running the Utility, you can collect the Suspicious files as shown in the picture below:
     
     
     
     
     
     
     
    By Clicking on the Button "Copy the files to a single location", you could save the suspicious files to a particular directory of your choice.
     
    Please zip the Files. Make sure that zip file does not include more than 9 files and /or 10MB of size.

     

    4) You will want to submit these suspicious files, to the Symantec Security Response for analysis, Click on this link to begin the process:

    https://submit.symantec.com/gold/

    Fill out the form and upload the file(s).

    Your Technical Contact ID:  (check with your Local Technical Support Representative)

     
    You will receive a confirmation email with a tracking number, and within 24 to 48 hours you should receive an email telling you if the file is viral or not. If it is viral, you will be provided with a set of rapid release definitions. These can be installed to your system so that Symantec Endpoint Protection or Symantec AntiVirus can then detect the infected file and prevent a re-infection.
     
    5) Submit the file to Threat Expert (owned by Symantec).
    Automated analysis can be performed for some types of threats through http://www.threatexpert.com. This step can quickly identify the sites the threat is coded to contact so they can be blocked at the firewall. Symantec Support does not provide troubleshooting for http://www.threatexpert.com, and this step does not replace the need to submit files to Symantec Security Response.
     
     


  • 5.  RE: Virus Alerts in Temporary Internet Files Folder Windows 7

    Posted Mar 03, 2011 10:18 AM

    It is not uncommon for us to detect risks in that particular directory. This is where Internet Explorer places all temporary files needed for web pages to load. There are certainly many sites out there that are either intentionally malicious, or have been compromised in some way by a risk.

    Most likely this is not a false positive, however in order to better address this we do need at least the risk name and the file name that was detected. This information can be located directly from the client if you open View Logs>Antivirus and Antispyware Protection>Risk Log.

    You may also view this information from within the SEPM, Monitors>Logs>Log type: Risk

    Ensure that you select a time range that will include the detections in question.

    Regards,



  • 6.  RE: Virus Alerts in Temporary Internet Files Folder Windows 7

    Posted Mar 03, 2011 08:21 PM

    The file name is always cd[1].htm and is categorized as a Downloader. It appears to create a random named folder in the Content.IE5 folder. I have noticed that today all of the instances have been deleted by the SEP client.



  • 7.  RE: Virus Alerts in Temporary Internet Files Folder Windows 7

    Posted Mar 04, 2011 01:56 PM

    Downloader is the infection categorization.

    We've seen about 28 individual systems get this (all Cleaned by Deletion) in the past three days.  Exact same symptoms as the poster.   

    IE use systems have the file recorded in the temp internet cache when its caught:

    <user profile>/Local Settings/Temporary Internet Files/Content.IE5/<RANDOM CACHE VALUE>/cd[1].htm

    We have one firefox user who also caught Downloader and it's similar but doesnt get to the cd[1].htm mark:

    Local Settings/Application Data/Mozilla/Firefox/Profiles/<profile name>/Cache/B8EB878Dd01

     

    As noted, these are cleaned by deletion.  We don't use central quarantine.  Is there a good way to capture this file for upload?

     

    EDIT:  

    I found that the Cleaned by Deletion files were still on the systems in Quarantine.  I exported one and uploaded it to virustotal and it had 0 hits (including Symantec).  I checked the export and its a list of where symantec caught the file from the SEP client.   Again, is there a way for me to get this file for upload somewhere?  

     

     

    Thanks.

     

    J



  • 8.  RE: Virus Alerts in Temporary Internet Files Folder Windows 7

    Trusted Advisor
    Posted Mar 04, 2011 02:08 PM

    Hello,

    Today, I had worked on a Similar case with one Symantec Customer.

    The Threat was being detected as Backdoor.IRC.Bot. http://www.symantec.com/security_response/writeup.jsp?docid=2003-102711-3533-99

    Is that the same threat which Symantec detects?

    Symantec may also detect Threats like Downloader and Trojan.Gen in the same directory, however, the most important Threat to concentrate on is Backdoor.IRC.Bot.

    There are few Plan of Action for such Threats.

    1) Remove the machine from the Network

    2) Run the Symantec Recovery Tool. Follow the Symantec KB for the same.

    How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions

    http://www.symantec.com/business/support/index?page=content&id=TECH131732&locale=en_US

    Symantec Endpoint Recovery Tool (SERT)

    https://www-secure.symantec.com/connect/videos/symantec-endpoint-recovery-tool-sert

    3) Update the machines with ALL the Microsoft Service Packs and Security Patches

    4) Disable the System Restore from GPO

    5) Disable the AutoRun from GPO

     



  • 9.  RE: Virus Alerts in Temporary Internet Files Folder Windows 7

    Posted Mar 04, 2011 02:08 PM

    Symaantec Tracking #19419601

    Threat expert will not take .htm files. Virus Total did  2/43 showing malware



  • 10.  RE: Virus Alerts in Temporary Internet Files Folder Windows 7

    Posted Mar 04, 2011 02:17 PM

    You'll have to open a case with Support and ask them to request a Second Look from Security Response on that submission because you believe it's a False Positive. 



  • 11.  RE: Virus Alerts in Temporary Internet Files Folder Windows 7

    Trusted Advisor
    Posted Mar 08, 2011 05:50 AM

    Hello,

    This is in reference to the Tracking # 19419601

    Symantec Security Response has identified the cd[2].htm as Threat 'Downloader' with our existing certified LiveUpdate definitions.