Mumbai Security and Compliance User Group

Hello...

Pls, let me know how to stop Auto-Protect Scanning, i'm using SEP 11 Ru6.

When i tried Stopping all the Services releted to Symantec still the file gets detect, as when i'm trying to extract zip file which contains 1 file & while extracting the file gets deleted as i found this in SEP risk logs.

So pls, let me know even after stopping all the services how the file gets deleted?......

You should be stopping "Symantec Endpoint Protection" from services.msc.

it should not detect the file when all the services of Symantec are stopped.  In task bar check whether the rtvscan.exe is still running after stopping the services?

Hello Pete...

I have tried stopping the Services from Services.msc, But still the File gets detect.

Also i tried running Process Explorer to view any process releted to symantec is running, but there is no service releted to symantec.

strange, did you check if rtvscan.exe shows in taskmanager after stopping the services.

you can check the following thing,

stop the AV service, select a file and right click on it to scan , it should throw a message "SEP cannot perform a right click scan. Make sure SEP service is started"

it means with the service stopped, the AV cannot scan a file.

Hello...

i know that right click scanning will not work, but i don't know how the file gets deleted?.

I checked task manager & process explorer, no service releted to symantec is running?

what does the risk log reads? can you post it?

Hello Pete.

Pls, find the below Logs & Screenshot for risk logs

Attachment(s)

Risk Logs.xls   204 KB 1 version

Hi,

Do you see the file that you are trying to download, in the risk logs??? Indicate which one  it  is..

Also, kindly attach the  risk logs, after exporting them.

ya! the AP has detected the threats. It's quite weird that when services are down, how can AV detect/scan the threat/file?

Hi,

You can create one test folder. than you can exclude that folder for autoscan. i open my infected zip file like this.

Best Regards.

Fatih

But ! 

Isaw your picture now. You have downadup. That virus can damage your system! you must be careful.

You can disable AP on the client assuming it is configured to do so in the SEPM.

On the client under AV, click Options and disable it from there.

disable it from SEPM as per this document

https://www-secure.symantec.com/connect/forums/disable-file-system-auto-protect#comment-3964871

The simplest solution is to disable autoprotect from AV/AS policy in SEPM or locally on client - open client's window and click on AV/AS and select to disable it - it will disable both autoprotect and scans.

And you've got downadup - it is a very dangerous threat and you should remove the infection. We have also removal tool. Check http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99

You should be stopping "Symantec Endpoint Protection" from services.msc.

Best Regards.

Shantanu

For the time you wanna handle your file you can stop/start your sep client with some "autorun" commands.

enter

"smc.exe -stop"

or

"smc.exe -start"

seems like you have webex session open? on call with support?

You need to stop smc.exe, if u try to stop that from services.msc it will be grayed out, you wont have any option to stop it..or disable it

so do it from run

start-run

smc -stop

thats it.