Endpoint Protection

Hi,

We have SEP with MR4 MP1a. Every time it runs a full system scheduled scan, it detects trojans in this folder:
c:/Documents and Settings/All Users/Application Data/Symantec/Symantec Endpoint Protection/xfer/

Do we really have to have this and then making an excemption?

Please add these on your centralized exceptions, are the files infected in .tmp format?

We are running the same version and having the same issue on a handful of machines. We currently have around 1200 systems on our site. The XFER folder is filling up with .TMP files and it causes the disk to run out of space.

As far as I can tell these files are not infected, even though SEPM is saying its a downloader/viral. Please see the attached report from the console. I have noticed that our Quarantine server is full because there is so many TMP files.

@Paul: Yes they are in .tmp

But my question is: Do we really have to go through this process of adding excemptions for itself? Why can't we just have Symantec delete them during migration if they cannot be used or have it cleaned when the user logs off.

Hi mon, i dont think it came from migration. Can you doulble check the risk log, because the quarantine folder of SAV is ..../7.5/xfer. Now its on Symantec Endpoint quarantine, can you inspect?

Check this link;

https://www-secure.symantec.com/connect/forums/sep-constantly-detecting-savce-quarantined-files

You may also want to check this link as well,

https://www-secure.symantec.com/connect/forums/bloodhound-exploit-193?sym=TRUE

1.) If the client computer is running Windows XP, disable "System Restore" as KB: http://www.symantec.com/security_response/writeup.jsp?docid=2002-101518-4323-99&tabid=3

2.) Restart the computer in Safe Mode

3.) Stop SEP services
"Symantec Endpoint Protection" from START -> RUN -> services.msc
"Symantec Management client" with command START -> RUN -> smc -stop

4.) Delete the folder "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer\"
(in newer installations: "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\")

5.) Delete all files .tmp in folder "c:\windows\temp\"

Important: empty the recycle bin...

6.) Restart SEP services (same as point 3 , except "smc -start")

7.) Run a full-scan

8.) Restart the computer in normal mode and if no new alerts of malware/virus detection are showed, enable "System Restore" as from step "1"

I have had the same issue and have tried the solution provided above.  It worked for about 2 weeks and it is popping back up now.  Any other possible solutions so we dont have to go back to the machine as often?

Therefore it is the time to open a ticket with the Tech Support,

Cheers,

Since this is on the Quarantine folder. I'm thinking of making the retention to between 1 and 3 days.

Do the .tmp files retain the quarantined files as is with no encryption?

The .tmp files are not the quarantined files.
Anyway, try this:

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009042217073548

If it resolves your issue, mark the post as the solution.

@Giuseppe: What does Symantec store in the .tmp files? or the xfer folder?
 

I don't know exactly what SEP stores in the .tmp files but because they are .tmp I guess they are just some halfway files to do something else, likely regarding the scan of big files or the rescan of quarantined files.
More important: did you try or not the suggested solution?

Just a question Giuseppe, if the files are already on quarantine, are they still considered to be a threat or can they still have the capabilities to infect or do its purpose? I guess that's why it is turned to tmp files..(just a guess) but I am confused because these tmp files are still detected by the AV.

For example, an execatable file named, virus.exe was detected and then converted to 10AD2.tmp.. In my experience during my young young days,.. if you rename a file to a diffrent one example .exe to a txt. it will unusable anymore and thus will loose it's capabality to run. (does this make sence sir?)

Hi,
this is the possible explanation I found in our KB's:
"The "xfer" and "xfer_temp" folders still store files scanned by AutoProtect transferred from migrations of legacy Symantec AntiVirus (SAV) installations".
To be honest it seems that for some unexpected circumstances (for example a damaged file) SEP starts a loop where a file goes in quarantine (.vbn archives), then it is extract this file in a .tmp file to rescan it, it is again detected and quarantined, and so on...

I didn't try the solution. When I checked the files, they're no longer there. Someone must have already deleted them.

What KB? Tried searching. :(
Is this a bug that will be fixed or is it already fixed?

I talked about an internal KB. The issue is not still well investigated.

@Giuseppe.Axia: we hope we could have the results of the investigation posted soon. thanks.
re: the official docs with link http://service1.symantec.com/SUPPORT/ent-security....
why do we have to delete the whole quarantine folder? is this to escape the hang time due to multiple files in it?
thanks.

@Giuseppe : keep us posted on that. At least my initial query on why this happens is answered. SEP does not intentionally scan the files and adding to the folder making a loop.

We are seeing this now in our environment now for one user.   It detected trojan.malscript 137 times during the administrator scan on the same computer against what I believe was a detection quarantined over a week ago. 

Guisseppe, for example we migrated to 14000 workstations from SAV to SEP? I guess our problem is going on the workstations one by one and then doing the procedures you did... (whew!) Or can we just add this to our Centralized Exceptions?

this was a bug that has been resolved in mr4mp2 that full used to scan it quarantine folder and detect file as threat in it.

Vikram are you sure this is resolved? It does not mention the XFER folder anywhere.

MR2 document states:

Quarantine scan causes Auto-Protect detections in %temp% folder
Fix ID: 1525749
Symptom: DWHWizard.exe starts the quarantine scan and moves quarantined files in to the %temp% folder for scanning. Auto Protect will occasionally detect these infected files.
Solution: After extracting and re-scanning each quarantine item, the TMP file is deleted unless the state is now REPAIRABLE. Repairable files are used later, either to restore to the original location or to save back to Quarantine (REPAIR_ONLY mode). These files should be clean, so Auto-Protect should not detect anything in them.

did this problem still perssts ; is there any patch for this?

example was really great

sorry i am checking quiet late; but this solution provided by you worked for me.

thanks for the information; but can you please confirm?

this issue has not been resolved and started happening to me today, on a 64 bit installation of SEP MR4 MP2

https://www-secure.symantec.com/connect/forums/symantec-having-identity-crisis

We have also experienced this and I made a thread about it not too long ago, actually. It seems to clear itself up, but happens generally after a full scan has been run.

Sir I have the same problem since one week .Please advice me .How to fix it?

Scan type: Scheduled Scan
Event: Security Risk Found!
Security risk detected: Trojan Horse
File: c:\ProgramData\Symantec\Symantec Endpoint Protection\xfer\4a23d302.tmp
Location: c:\ProgramData\Symantec\Symantec Endpoint Protection\xfer
Computer: ADMIN
User: SYSTEM
Action taken: Delete succeeded
Date found: Sunday, July 12, 2009 10:27:46 AM

@noufal: The answer is the 6th entry of this discussion.

Hi,

I am reading some questions regarding the investigation... to continue it, in order to prevent that it happens again, we need that affected customers open a case with the support.

Regards,

Case # 320-189-116, open since 4/22/09.  Intitial problem was reported on the Symantec forums over a year ago.  My case has been escalated to the engineer level, still no solution.  Have been told it is fixed in each sucessive release, however this is not the case.  It is definitely still an issue in MR4 MP2.

I had already pointed out in an above note with link to a different thread, the exact same symptoms. 
What I find funnny is the "it has been resolved in MR4 MP2, which was installed on the machine at the time this occurred.

Also noteworthy is a Single machine out of the entire network, one that happens to not have internet connectivity, is the only one to have been affected.

Cleaned out the folder containing the said quarantined files and have heard no complaints or indications from SEP about anything returning to plague the machine.  Seems to have been an isolated incident, which occurred for a few hours, from midnight to about 6 am.  Very odd indeed. 

Thanks nonetheless for the assistance.

thats a good update...
Looks like we better upgrade to MR4 MP2...

Just curious why the only affected PC was that with out IE connection..
Hmmm...

Should have been more specific.  Almost no Windows Machine in this environment, other than a handful of servers has internet access.  Even those that do, need to connect through a Proxy/Firewall requiring user / pass to get out to the net.

Of those servers, is the SEPM server and the WSUS server.  Both need to authenticate (manually) to get out.  Part of the twice daily tasks... 

I see way too many administrators struggling constantly to "clean up viruses" and "malware" on production machines to run that risk. 

We had an outbreak here once, about 5 years ago...  Never again.  No external devices connected to the network.  Any materials that do come in on USB / external drive, etc. are scanned on a non-network controlled environment before being allowed access into the network. 

Mail server has a SPAM firewall with 2 AVs sitting at it's border and the mail server itself has SEP installed on it.  Paranoid much?  Yes most definitely. 

We have setup an "intenet cafe" for all employees, they are not connected to the internal network and can browse freely or just about, limiitations on the net.  

We are considering placing an external AP for employees personal laptops as well to have a direct connection to the intenet without worrying about comprimising internal security.  
 

We run a Scheduled scan across our entire environement once a month.  Each month we see a handful of systems that show these same symptoms.  These systems were fresh builds, not upgraded\migrated from SAV 10.x.

The only difference is that we are not just seeing 100 or 200 instances per machine, but rather 2000+, which throws our reporting way off.  I have tried to determine if these are actual risks detected, and from what I can tell there is no risk (ran the tmp file through a hex editor, as well as Ollydbg).