Endpoint Protection

I have 2 machines out of about 100 that both have this issue. I'm not sure why these 2 do and none of the others do. this is basically the issue: http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/5acc619d5a30571b882573980069a3cd?OpenDocument One of them detects these files as bloodhound.exploit.196, and the other as malscript!.html or something like that. I've pulled one of these off the computers in question and run tons of scans... the files do not get caught when scanned on other computers. I've followed the instructions in that link... disabled the indexing service completely... turned off the rescan on update... and for some reason these 2 users are still getting flooded with quarantine messages. I've also uninstalled SEP and reinstalled 11.0.6a, where this issue was supposed to be fixed. the last thing I tried this morning after it resurfaced again was to change the real time scan option from scan when accessed/modified to scan on modified only. any idea how to fix this? the only other option I can think of is to switch to a different AV at this point.

and no... in case anyone was curious... the temp folder is not open in windows explorer as the article suggests... these 2 computers do not have any special software or configuration as opposed to all the others... they aren't even the same make/model of computer.  both are using vista one had SP1 and the other SP2... now both are SP2 but that had no effect either.  

Migrate to RU6, this issue was resolved in that build. This is an issue with us detecting temp files as a virus and are not actual virus. You can install the RU6 build just to the clients with the issue if you are not ready to migrate the environment.

I'm not sure what RU6 is as opposed to what I have... can I get some clarification?

just looked at fileconnect and I dont see any download available to me that says RU6 at all.  

I ran into this the other day.  I had to remove SEP11 and do some manual cleaning as well.  After you remove the client and live update do the following:

Delete the DWH files from temp.
Delete all Symantec Folders in Program Files.
Delete the Symantec Folders under C:\Documents and Settings\All Users\Application Data

Install what ever client you want back on and the issue is gone. 

From what I could tell the issue is that when you get new definitions, SEP scans the quarentined files to see if any can be repaired.  When SEP unzips the quarentined files, they are put in the temp folder.  Then of course they are scaned by the Auto protection and the Def. scan which causes and endless loop or quarentined files.

RU6 = 11.0.6a

thank you for the info and clarification... so I already have RU6 on these 2 then... but I did not do all the other stuff you mentioned when I switched them.  So I will try that.  

Here are some helpful websites where you can get information regading the Endpoint Protection RU6.

Migrating to Symantec Endpoint Protection 11.0 RU6
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010041310404248?Open&docid=2009060810031348&nsf=ent-security.nsf&view=docid

You may also refer on the URL below for specific patch downloads
http://www.symantec.com/business/support/downloads.jsp?pid=54619

Release notes for SEP 11.0.6
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121216360648
Release notes for SEP 11.0.6a

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121216360648

Hope this links are helpful regarding your migration to RU6.

Kind Regards,
Liz P.

This is how I fixed it:

• Stop the SEP service
• Delete all of the .tmp files in c:\windows\temp
• Delete all of the files in the SEP Quarantine folder
• Delete all of the file sin the SEP Xfer folder
• Restart the SEP service

In some cases I had to delete 50,000 plus files, literally GB's of data.   I haven't seen a reoccurence on the machines where I've performed this process.

Grrrr, was fine before the 6a update

yes, i had to manually instruct the affected users to go to C:\Documents and Settings\All Users\Symantec\Symantec Endpoint Protection\Quarantine and then manually delete the files.

but of course it would be beneficial if anyone can shed some light in this matter of when can this be permanently solved.

RU6 MP1 has been released and it has fix for the DWH tmp files. If you are still facing this issue, you can upgrade to RU6 MP1. This can be downloaded from https://fileconnect.symantec.com using the serial number.

If you network is not on Version RU6 or RU6a then you will have to first upgrade it to RU6 or RU6a and then to RU6 MP1, this is the process for upgrade. Cannot upgrade directly to RU6 MP1.