Endpoint Protection

Hello,

We're having a huge issue systemwide with Symantec Endpoint, version 11.0.4202 (release MR4 MP2), where the XFER folder and Quarantine folder in the (/All Users/Application Data/Symantec/Symantec Endpoint Protection/) directory keep looping, essentially multiplying itself endlessly. What appears to happen is Symantec will detect a "Trojan Horse" or "Downloader" in the XFER folder and move it to quarantine. For some reason it will immediately redetect the same thing in the XFER folder, and repeat this process endlessly.

This occurs ONLY after a full scan is run. We have a scheduled full scan to run every Thursday morning at 2:00 A.M. when nobody is logged on to any computer. When we arrive in the morning Symantec's reporting over 60,000 new viruses quarantined.

This is not just one computer but many. Not all of them do it either. It is becoming a major concern and I thought that this was fixed in the latest release, but evidently something is being buggy.

I have read through this forum and have noticed others with the same problem, but the given solution is generally just to clear it out, uninstall, etc. I would like to see at least some acknowledgement or help on this issue if possible, as it will be very irritating to have to go throughout each of our buildings and hunt down these machines manually just to clear out a detection error.

If any other information is needed, please let me know. I am more than willing to take screenshots or gather data to get this resolved.

Here is a screenshot noting this:

I see that you stated you have mr4 mp2. Is this accurate for your clients as well? We have seen that any process that may touch our temporary files in that directory may cause auto-protect to then scan the files. An example of this is windows indexing service.

Here is a document discussing how to also delete the files.
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009042217073548

If the quarantine folder is emptied, then when we try to scan the quarantined files to see if we can repair them, nothing will be in the folder, therefore nothing will be copied to the xfer_tmp folder.


If this doesn't help with your issue, I suggest calling into support and opening a case. There is a tool called symdeltemps that you can obtain which can delete these files.

Thanks for the reply Steve.

The version my clients are running is: 11.0.4202.75

It's not the xfer_tmp folder that is clogging up. It's just the XFER folder that is clogging.

This is the exact location of one of them:

c:/Documents and Settings/All Users/Application Data/Symantec/Symantec Endpoint Protection/xfer/4a609339.tmp

I can delete the folders just fine (it takes like 10 minutes though for Windows to get through the sheer mass of files to delete). No errors there.

Is it the same problem that you had some time back ?
https://www-secure.symantec.com/connect/forums/trojan-horse-detected-xfer-directory-ie-symantec-detecting-itself 

EDIT

Yes, it is the same problem. I realize that I should have just added to that original thread, but I felt that creating a new one with more detailed information and screenshots would be more beneficial now that I've had time to see how the problem occurs/develops.

It seems to be compounding and getting worse as the months pass. New machines are receiving this issue that weren't back then.

That location may have them as well. The fix in mr4 mp2 that you may have seen is specifically for dwhxxxd.tmp files in the windows temp folder or in the %temp% folder.

I would suggest investigating into see if there is another process touching our files. as I stated before the windows indexing service can be suspect. I have also seen were users have inadvertently installed software such as spybot S&D or adaware, that have a real-time scanner as well. So when our process dumps the quarantine into the XFER folder, that other program sees that and scans the files. This will then cause our auto-protect to see those file i/o's and then re-scan the files again.

I hope this helps.
I would also like to say that we have gotten reports of this. But in the end, every case we have seen, this issue has been caused by another process touching our files.

Ok, thanks for the advice Steve. I will take a closer look and see what may be happening in regards to other processes interfering.

Steve,

Is there any good way of narrowing this down? The machines are not logged in when the scheduled scan starts (they are at the CTRL-ALT-DEL screen) so that limits what processes we have running.

You mentioned the windows indexing service. Are you recommending we turn that off?

Can I ask what the purpose of the XFER folder is and what part it actually plays in the quarantining of a virus?

To my understanding, the XFER folder should be emptied when the virus actually becomes quarantined. However, that doesn't appear to be happening with any of the detections on these machines. As I mentioned it loops endlessly but never ends up clearing the older detections.