Endpoint Protection

 View Only

  • 1.  Trojan

    Posted Apr 12, 2011 05:12 AM
      |   view attached

    Bonjour,

    j'ai la version symantec endpoint 11.0 et je travaille sur windows7

    j'ai un problème de trojan que je n'arrive pas à supprimer

    son emplacement est dans " AppData\Local\Temp

    le nom commence par DWH ensuite 4caractères, ci dessous un exemple

     

    Trojan.Gen,DWH8EF0.tmp,.....\AppData\Local\Temp\,Infectés,12/04/2011 10:14
    Trojan.Gen,DWH12C3.tmp,.....\AppData\Local\Temp\,Infectés,12/04/2011 10:14
    Trojan.Gen,DWH3BCD.tmp.....\AppData\Local\Temp\,Infectés,12/04/2011 10:14
    Trojan.Gen,DWH2363.tmp,.....\AppData\Local\Temp\,Infectés,12/04/2011 10:14
    Trojan.Gen,DWH152D.tmp,.....\AppData\Local\Temp\,Infectés,12/04/2011 10:14
    Trojan.Gen,DWHCEA9.tmp.....\AppData\Local\Temp\,Infectés,12/04/2011 10:14
    Trojan.Gen,DWH3739.tmp,.....\AppData\Local\Temp\,Infectés,12/04/2011 10:14
     

    le nombre de ces trojan est en milliers, et je n'arrive pas à supprimer

    merci de votre aide

    Attachment(s)

    txt
    rapport_.txt   178 KB 1 version


  • 2.  RE: Trojan

    Posted Apr 12, 2011 05:14 AM

    here my message in english

     

    Hello,

    I have version symantec endpoint 11.0 and am working on windows7

    I have a trojan problem that I can not remove

    its location is in "AppData \ Local \ Temp

    name begins with DWH 4caractères then, below is an example
     

    Trojan.Gen,DWH8EF0.tmp,.....\AppData\Local\Temp\,Infectés,12/04/2011 10:14
    Trojan.Gen,DWH12C3.tmp,.....\AppData\Local\Temp\,Infectés,12/04/2011 10:14
    Trojan.Gen,DWH3BCD.tmp.....\AppData\Local\Temp\,Infectés,12/04/2011 10:14
    Trojan.Gen,DWH2363.tmp,.....\AppData\Local\Temp\,Infectés,12/04/2011 10:14
     

    the number of trojan is in the thousands, and I can not remove

    thank you for your help



  • 3.  RE: Trojan

    Broadcom Employee
    Posted Apr 12, 2011 06:48 AM

    Hi,

    This is known issue with Symantec.

    Upgrade to latest built i.e RU6 MP3.

    Follow the upgrade path  11.0.5 or earlier -->11.0.6 /11.0.6a --> 11.0.6 MP3

    Check the following articles.

    http://www.symantec.com/business/support/index?page=content&id=TECH92399&actp=search&viewlocale=en_US&searchid=1302605085411

    http://www.symantec.com/connect/forums/dwhtmp



  • 4.  RE: Trojan

    Posted Apr 12, 2011 07:10 AM

    Problem


     

    1. DWH files are created and flagged as malicious by Auto-protect.

    2. Items in quarantine double every time new definitions arrive.

     

    Error


    No specific "Errors" are logged, as these detections are valid and must be auctioned normally.

    Cause


    When the virus definitions are updated in SEP, there is an option to "Rescan the Quarantine". This enables the SEP client to inspect the files stored in the local quarantine and verify if any of them can be repaired with the updated AV signatures. When the files were originally quarantined, they were compressed and encrypted to ensure that the stored version cannot continue to infect the local machine. Consequently, the SEP client must extract the original file(s) from this quarantine packaging before it can be re-scanned.

    During this file extraction process, a temporary file - named DWH####.tmp - is created in the working directory of the SEP client. This is typically within the "%App Data%\Symantec\" folder, but in certain older builds of SEP it may also use the windows %TEMP% folders. Normally, this temporary file will not be scanned by the SEP Auto Protect function because SEP is already handling the file, i.e. SEP knows that it owns the file. However, if a third-party process accesses that file while it is being created, the SEP Auto Protect function will intercept this file access and will declare the file as un trusted because another process, possibly malicious, had accessed the file.

    This will cause the file to be seen as a "new" file and untrusted. Accordingly, the file will be scanned.  This results in an already quarantined and infected file getting re-scanned.  Accordingly, it will be treated as a suspect file and quarantined, resulting in a duplicate file being added to the local quarantine.

    Finally, as each definition sets is received by the SEP client and the local quarantine is re-scanned, the above detailed process repeats and the contents of the local quarantine are doubled.

    Solution


    security

    The issue of multiple DWH files being created and retained has been resolved in Symantec Endpoint Protection Release Update 6, Maintenance Patch 1 (TRU64 MP 1, 11.0.6100.645).  Apply this patch over Symantec Endpoint Protection Release Update 6 (RU64, 11.0.6000.548) or Release Update 6 a (11.0.6005.562).

    If  unable to migrate at this time, here are workarounds that should resolve the issue. These are listed in order of preference. 

    A) Single Systems:

    1. Disable rescanning of the local quarantine upon receipt of new virus definitions: edit the following policy components -
      Antivirus and Antiphonaries policy > Windows Settings > Quarantine > General, under "When New Virus Definitions Arrive" choose "Do nothing".
    2. Ensure no process or services (such as Windows Indexing Service for example) can access/monitor SAVE/SEP files.
    3. Ensure that the %TEMP% folder is not open during the receipt of virus definitions and scanning of the quarantine.
    4. Restart in safe mode, deleting *.DWH files in the temporary folder, cleaning the quarantine folder.

    B) For a network with multiple affected systems

    1. Open Symantec Endpoint Protection Manager (SE PM)
    2. Select Policies
    3. Select Antivirus and Antispyware Policy
    4. Select Quarantine
    5. Click on the Cleanup Tab
    6. Under Quarantined Files check mark "Delete oldest file to limit folder Size at ( X ) MB (Instead of X mentioned the Size of Quarantine Folder normally selected.)

    The link: http://www.symantec.com/business/support/index?page=content&id=TECH102953&actp=search&viewlocale=en_US&searchid=1302606213121

    Regards.

    Cemile



  • 5.  RE: Trojan

    Posted Apr 12, 2011 07:15 AM

    Optionellement, si vous avez l'impression qu'il s'agit quand meme de la menace virale, veuillez appliquer la demarche suivante pour la contrer dans votre reseau:

    1) Envoyez le fichier suspect a la Security Response (https://submit.symantec.com/websubmit/basic.cgi).

     
    2)  Utilisez Symantec Recovery Tool afin d'éliminer les menaces présentes sur le poste supconne d’etre le source des infections (le mieux étant d'isoler la machine du réseau le temps du nettoyage et de l'installation de SEP) :
     
    - Accédez a https://fileconnect.symantec.com
     
    - Utilisez votre numéro de série présent sur votre contrat et téléchargez Symantec Endpoint Recovery Tool. Si vous rencontrez des problemes pour retrouver votre numéro de série, veuillez contacter Customer Care (http://www.symantec.com/business/support/assistance_care.jsp)

    - N’oubliez pas a telecharger  la derniere RapidRelease en format *.JDB ce qui permettra d'utiliser les toutes dernieres définitions de virus par le SERT (http://www.symantec.com/business/support/index?page=content&id=TECH102607&locale=en_US). Le site avec le fichier JDB a télécharger se trouve ici: http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr

    - Appliquez la procédure suivante pour nettoyer la machine avec le Symantec Endpoint Recovery Tool : http://www.symantec.com/business/support/index?page=content&id=TECH131732&locale=en_US
     



  • 6.  RE: Trojan
    Best Answer

    Trusted Advisor
    Posted Apr 12, 2011 02:17 PM

     

    Hello,

    Here is the Solution for the same.

     

    If such detections continue after deleting old .tmp files and updating to SEP 11 RU6a, see the following:

    Stop the Symantec service

    • Symantec Endpoint Protection

      • Click Start, then Run
      • Type: smc -stop
      • Click OK

  •  

    • Deleting the files

    NOTE: The following instructions are to be done from the Command Prompt as attempting to perform the deletions from the Windows user interface may result in delays and application hangs due to the large amount of files that can reside in these locations. Please note that these instructions will delete the files in the targeted directories, not the directories themselves. Do not remove the directories themselves, only the contents of those directories.

     

    Open the Command Prompt

    Deleting files from User Temp folder
     

        • Click Start, then Run
        • Type: cmd
        • Click OK
      1. Type the following command in Command Prompt. (The following string will vary depending on the user name.) Replace "<NAMEOFUSER>" with the username of the desired Windows user you wish to empty the temp folder for:
          • Windows 2000/XP/2003 
            DEL /F /Q "C:\Documents and Settings\<NAMEOFUSER>\Local Settings\Temp"
          • Windows Vista/7/2008
            DEL /F /Q "C:\Users\<NAMEOFUSER>\AppData\Local\Temp"
      2. Deleting the contents of the temp folder at the root of C:\
          • Type the following command in Command Prompt:

            DEL /F /Q C:\temp

      3. Deleting the contents of the Windows Temp folder
          • Type the following command in Command Prompt:

            DEL /F /Q C:\WINDOWS\Temp

      4. Deleting the contents of the xfer and/or xfer_temp directories

         

        • Type the following command in Command Prompt:
            • Windows 2000/XP/2003 
              DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp\"

              DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\"

            • Windows Vista/7/2008
              DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer_tmp\"

              DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer\"

     

    The Quarantine Folder

    NOTE: The following instructions are to be done from the Command Prompt as attempting to open the Quarantine folder in the Windows user interface may result in delays and Windows Explorer application hangs due to the large amount of files that can reside there.

     

      Delete the Quarantine Folder

      Type the following commands in the Command Prompt:
       

        • Windows 2000/XP/2003 
          DEL /F /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"

          RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"

        • Windows Vista/7/2008
          DEL /F /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

          RD /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

        Recreate the Quarantine Folder
         

        Type the following command in Command Prompt:
         

          • Windows 2000/XP/2003 
            MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
          • Windows Vista/7/2008
            MD "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

        Start the Symantec service
         

        • Click Start, then Run
        • Type: smc -start
        • Click OK

        • If you have frequent recurrences of this issue and would like to disable re-scanning of the quarantine folder please follow these steps:

          •  

        • From the SEP-Manager:
          - Edit the Antivirus and Antispyware policy of affected clients.
          - In the policy editor click "Quarantine" on the left-hand menu.
          - On the general tab click "Do nothing" under the heading "When new Virus Definitions Arrive"



      • 7.  RE: Trojan

        Posted Apr 15, 2011 05:33 AM

        Hello

        and thaks a looooot for responding

        best regards!