Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Why is it so difficult to get rid of/work with .qsp files?

Migration User

Migration UserMar 02, 2011 02:42 PM

43,000 at last check... :-(
ℬrίαη

ℬrίαηMar 02, 2011 02:57 PM

What SEP version are you on?
Migration User

Migration UserMar 02, 2011 03:14 PM

What is the file is it quarantining ?

  • 1.  Why is it so difficult to get rid of/work with .qsp files?

    Posted Mar 02, 2011 02:41 PM
      |   view attached

    When a machine is infected, the qsp files grows quickly and multiple and it is nearly impossible to get rid of them, when I did get rid of them, I had to totally remove SEP and re install it. This time they go nowhere, 1. How can I easily get rid of them, 2. How can I prevent them from being generated at all? This is the absolute WORST thing about SEP, SAV NEVER had this problem. The attachment shows a handfule, but they can EASILY go into the thousands in less then 2 minutes. Please help me with this, I really amd getting very annoyed with this issue.

    Thank you



  • 2.  RE: Why is it so difficult to get rid of/work with .qsp files?

    Posted Mar 02, 2011 02:42 PM

    43,000 at last check... :-(



  • 3.  RE: Why is it so difficult to get rid of/work with .qsp files?

    Posted Mar 02, 2011 02:57 PM

    What SEP version are you on?



  • 4.  RE: Why is it so difficult to get rid of/work with .qsp files?

    Posted Mar 02, 2011 03:02 PM

    MP1 or so I think?

     

    It has happened on every version, I hate it so much!!!



  • 5.  RE: Why is it so difficult to get rid of/work with .qsp files?

    Posted Mar 02, 2011 03:10 PM

    This thread may explain it some, particulary the post by Ryan_Dasso on the last page:

    https://www-secure.symantec.com/connect/forums/generic-trojan-dwhtmp-temp-folder

    From the desk of someone on the inside...

    This is an interesting issue because it's so easily misunderstood. There are a lot of things that have caused the DWH*.TMP issue. I'm really surprised none of them have been outlined in this thread, yet. There's a post by ScubaSteve early on that gives a good explanation... perhaps the implications aren't fully realized.

    The first thing to understand about this issue is: It's not one, single issue. There have been many different reasons for the DWH files showing up in various locations. Ultimately, the basic reason is the same, but numerous root causes have been found over the years.

    The second thing to understand about this issue is: It doesn't continue to occur because SEP developers and support engineers don't care about this issue or just can't figure it out. The truth is, it continues to occur because, as noted in misunderstanding #1, there are a lot of things that cause the issue. To date, we have fixed various root causes for the issue. We fully understand the issue and work hard to implement solutions that don't break other things at the same time. We're sorry you have this issue and, if you look, you'll find we have solutions in place.

    The third thing to understand about this issue is: It's not always Symantec software's fault. This requires a little more explanation of what happens behind the scenes. When SEP gets new defs, it checks the files in Quarantine to see if there are any new remediation steps, false positives, etc. Files in Quarantine cannot simply be scanned while they're quarantined. They must be extracted from Quarantine first. The expected behavior is this: SEP extracts the files, scans them, moves them back to Quarantine. There have been cases (mostly earlier builds) where a bug in SEP would cause the DWH files to be mishandled. SEP abandons the process because it can no longer trust the files and, as it does with all files that are written to the disk, scans the file with Auto-Protect. Auto-Protect finds the virus code in the DWH file and acts on it (quarantining). There have been other cases, however, where other software (3rd party scanners or indexing services, for example) try to get in the way and cause the DWH files to be mishandled. This is something Symantec simpy cannot always avoid. We're very sorry about it and wish it didn't have to be this way, but that's just the way it is. The proper response is to fix the offending 3rd party software.

     

    Finally, I want to address one obsurd point of advice about re-installing SEP to fix the issue. In most cases, this simply isn't required... and furthermore, no real Symantec tech is going to recommend this as a first solution. The first thing to do is look for 3rd party software that may be causing SEP to stop trusting DWH files. Setup exclusions for SEP's working directories. If that doesn't do it, purge Quarantine and SEP's working directory. If you want to be more surgical, only delete DWH.tmp files in the working directories (still need to clear Quarantine). If you simply can't stand to have another DWH detection, disable the scans when new defs arrive (not Best Practice). If you want to go even further, adjust your detection settings to not use Quarantine (also, not Best Practice). Finally, if all this fails and you still get DWH detections, re-install the SEP client. But realize you're re-installing because there's something else very wrong with the software at this point... policy corruption, permission issues, etc. At this point, you should probably be contacting Support to work on a full investigation. 

     



  • 6.  RE: Why is it so difficult to get rid of/work with .qsp files?

    Posted Mar 02, 2011 03:14 PM

    What is the file is it quarantining ?



  • 7.  RE: Why is it so difficult to get rid of/work with .qsp files?

    Posted Mar 02, 2011 07:35 PM

    It seems as if it catches whatever the threat is, but it generates thousands of .qsp files. It's really driving me crazy almost to the point of submitting a request to look in to getting a different AV. The ONLY way I can remove all of this is to totally uninstall SEP and re install it.



  • 8.  RE: Why is it so difficult to get rid of/work with .qsp files?

    Posted Mar 02, 2011 07:36 PM

    53 GB, this is totally wrong. I am very dissappointed with SEP because of this. This has been an ongoing issue since I introduced SEP to my enterprise.



  • 9.  RE: Why is it so difficult to get rid of/work with .qsp files?

    Posted Mar 02, 2011 08:11 PM

    C:\ProgramData\Symantec\SRTSP

     

    But it is locked down. I want it NOT to be, why is it?



  • 10.  RE: Why is it so difficult to get rid of/work with .qsp files?

    Posted Mar 02, 2011 08:20 PM

    Don't know how, but I finally got in. It held 20 GB of TMP files...Why? What is the point of this? 70 GB of files combined? This is not right at all

    C:\ProgramData\Symantec\SRTSP

    and

    C:\windows\temp

    frown



  • 11.  RE: Why is it so difficult to get rid of/work with .qsp files?

    Posted Mar 02, 2011 08:38 PM

    I am TOTALLY confused by this

     

    Setup exclusions for SEP's working directories. If that doesn't do it, purge Quarantine and SEP's working directory.

    What Exclusions needs to be set? I have a lot that are exempt already that were carried over from SAV that NEVER had this issue.

    If that doesn't do it, purge Quarantine and SEP's working directory. (HOW) I can not figure this part out

     

    This article made me feel like a bonehead and I still do not know how to correct this issue :-(

    Also, as being the ONLY thing that has worked for me so far, reinstalling is NOT absurd at all.

    Reinstalling may not be the best way, but it IS the FASTEST way and the one with the least overhead.



  • 12.  RE: Why is it so difficult to get rid of/work with .qsp files?

    Posted Mar 02, 2011 08:52 PM

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5935

    Windows 6.1.7600
    Internet Explorer 8.0.7600.16385

    3/2/2011 5:50:15 PM
    mbam-log-2011-03-02 (17-50-15).txt

    Scan type: Full scan (C:\|)
    Objects scanned: 371726
    Time elapsed: 50 minute(s), 21 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 8
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10000} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\IEHlprObj.IEHlprObj (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE7C3CF0-4B15-11D1-ABED-709549C10000} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{CE7C3CF0-4B15-11D1-ABED-709549C10000} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE7C3CF0-4B15-11D1-ABED-709549C10000} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\SYSTEM32\IEHELPER.DLL (Trojan.FakeAlert) -> Value: IEHELPER.DLL -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Windows\System32\IEHelper.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    c:\Windows\SysWOW64\IEHelper.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.



  • 13.  RE: Why is it so difficult to get rid of/work with .qsp files?

    Posted Mar 03, 2011 08:22 AM

    It's locked down because you don't have permissions on the file. You need to login in as admin and assign priviledges for you specifically. Only the SYSTEM account has priviledges to this folder as that's what context SEP will run under.



  • 14.  RE: Why is it so difficult to get rid of/work with .qsp files?

    Trusted Advisor
    Posted Mar 03, 2011 08:41 AM

    Hello,

    Please Work on the Following Steps.

    Stop the Symantec service

    • Symantec Endpoint Protection

      • Click Start, then Run
      • Type: smc -stop
      • Click OK

    Deleting the files

    NOTE: The following instructions are to be done from the Command Prompt as attempting to perform the deletions from the Windows user interface may result in delays and application hangs due to the large amount of files that can reside in these locations. Please note that these instructions will delete the files in the targeted directories, not the directories themselves. Do not remove the directories themselves, only the contents of those directories.

     

    Open the Command Prompt

    Deleting files from User Temp folder

    • Click Start, then Run
    • Type: cmd
    • Click OK

    1. Type the following command in Command Prompt. (The following string will vary depending on the user name.) Replace "<NAMEOFUSER>" with the username of the desired Windows user you wish to empty the temp folder for:

  • For Windows 2000/XP/2003
     

  • DEL /F /Q "C:\Documents and Settings\<NAMEOFUSER>\Local Settings\Temp"

  •  

  • For Windows Vista/7/2008
     

  • DEL /F /Q "C:\Users\<NAMEOFUSER>\AppData\Local\Temp"


    • 2. Deleting the contents of the temp folder at the root of C:\

    • Type the following command in Command Prompt:

      DEL /F /Q C:\temp

    3. Deleting the contents of the Windows Temp folder

    • Type the following command in Command Prompt:

      DEL /F /Q C:\WINDOWS\Temp

    4. Deleting the contents of the xfer and/or xfer_temp directories

    • Type the following command in Command Prompt:
        • Windows 2000/XP/2003
          DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp\"

          DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\"

        • Windows Vista/7/2008
          DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer_tmp\"

          DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer\"

     

    The Quarantine Folder

    NOTE: The following instructions are to be done from the Command Prompt as attempting to open the Quarantine folder in the Windows user interface may result in delays and Windows Explorer application hangs due to the large amount of files that can reside there.

     

      Delete the Quarantine Folder

      Type the following commands in the Command Prompt:

        • Windows 2000/XP/2003
          DEL /F /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"

          RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"

        • Windows Vista/7/2008
          DEL /F /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

          RD /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

        Recreate the Quarantine Folder

        Type the following command in Command Prompt:

        • Windows 2000/XP/2003
          MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
        • Windows Vista/7/2008
          MD "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine"

        Start the Symantec service

        • Click Start, then Run
        • Type: smc -start
        • Click OK

         



    • 15.  RE: Why is it so difficult to get rid of/work with .qsp files?

      Posted Mar 03, 2011 09:48 AM

      I will try to use this method, but as I have mentioned before, this was never an issue with SAV, I do not understand why this occurs with SEP. Is there any way to prevent the QSP files from being generated at all?



    • 16.  RE: Why is it so difficult to get rid of/work with .qsp files?

      Posted Mar 03, 2011 09:49 AM

      ...how do I get SEP to STOP generating .QSP files? or have them get automatically erased?

      Thanks



    • 17.  RE: Why is it so difficult to get rid of/work with .qsp files?

      Posted Mar 03, 2011 10:15 AM

      of the method above.

      https://www-secure.symantec.com/connect/downloads/squash-symtmps-mikes-tool-set

      We have the same situation as you...very frustrating at times.sad

      -Mike



    • 18.  RE: Why is it so difficult to get rid of/work with .qsp files?
      Best Answer

      Trusted Advisor
      Posted Mar 03, 2011 12:22 PM

      Hello,

    • If you have frequent recurrences of this issue and would like to disable re-scanning of the quarantine folder please follow these steps:

      • Disable re-scanning of quarantine files.

      From the SEP-Manager:
      - Edit the Antivirus and Antispyware policy of affected clients.
      - In the policy editor click "Quarantine" on the left-hand menu.
      - On the general tab click "Do nothing" under the heading "When new Virus Definitions Arrive"



    • 19.  RE: Why is it so difficult to get rid of/work with .qsp files?

      Posted Mar 04, 2011 07:40 AM

      ...Listed and make a batch file to kill all the QSP files automatically. Hope it works.