Misc stuff

Large numbers of .tmp files are being created in the xfer_tmp or 7.5/xfer folder and are being detected as threats.

Question/Issue:
After Symantec Endpoint Protection detects an infection, the xfer_tmp folder generates a large number of temporary (.tmp) files. How can I get this to stop?

After Symantec AntiVirus detects an infection, the 7.5\xfer and/or 7.5\xfer_temp folders starts generating numerous temporary (.tmp) files. How can I get this to stop?

After a migration from Symantec AntiVirus to Symantec Endpoint Protection the xfer_tmp folder starts generating a large number of .tmp files. How can I get this to stop?

Symptoms:
Large numbers of temporary (.tmp) files are generated in any of the following locations:

Symantec Endpoint Protection

•  
  •  
    • C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp
    • C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer
  •  
    • C:\Program Data\Symantec\Symantec Endpoint Protection\xfer_tmp

Windows 2000/XP/2003
Windows Vista/7/2008

Symantec AntiVirus

NOTE: The following file locations may still be relevant in a migration scenario from Symantec AntiVirus to Symantec Endpoint Protection

•  
  •  
    • C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer
    • C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer_tmp
  •  
    • C:\Program Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer
    • C:\Program Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer_tmp

  
  

Windows 2000/XP/2003
Windows Vista/7/2008

Solution:

To take advantage of code improvements which make such detections much less likely, please ensure that the latest release of SEP 11 or SAV is installed on the client .
If such detections continue after deleting old .tmp files and updating to SAV_CE 10.1 MR9 or SEP 11 RU6a, see the following:

Stop the Symantec service

•  
  • Click Start, then Run
  • Type: smc -stop
  • Click OK
  • Click Start, then Run
  • Type: services.msc
  • Click OK
  • Right-click and Stop the Symantec AntiVirus or Symantec Endpoint Protection service

Symantec Endpoint Protection
Symantec AntiVirus

Deleting the files

NOTE: The following instructions are to be done from the Command Prompt as attempting to perform the deletions from the Windows user interface may result in delays and application hangs due to the large amount of files that can reside in these locations. Please note that these instructions will delete the files in the targeted directories, not the directories themselves. Do not remove the directories themselves, only the contents of those directories.Open the Command Prompt

•  
  1. Type the following command in Command Prompt. (The following string will vary depending on the user name.) Replace “<NAMEOFUSER>” with the username of the desired Windows user you wish to empty the temp folder for:
     •  
       • Windows 2000/XP/2003
         DEL /F /Q “C:\Documents and Settings\<NAMEOFUSER>\Local Settings\Temp”
       • Windows Vista/7/2008
         DEL /F /Q “C:\Users\<NAMEOFUSER>\AppData\Local\Temp”
  2. Deleting the contents of the temp folder at the root of C:\
     
     •  
       • Type the following command in Command Prompt:DEL /F /Q C:\temp
  3. Deleting the contents of the Windows Temp folder
     
     •  
       • Type the following command in Command Prompt:DEL /F /Q C:\WINDOWS\Temp
  4. Deleting the contents of the xfer and/or xfer_temp directories
     •  
       • Type the following command in Command Prompt:
         •  
           • Windows 2000/XP/2003
             DEL /F /Q “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp\”DEL /F /Q “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\” 

           • Windows Vista/7/2008
             DEL /F /Q “C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer_tmp\”DEL /F /Q “C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer\” 

       • Type the following commands in command prompt:
         •  
           • Windows 2000/XP/2003
             DEL /F /Q “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer”DEL /F /Q “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer_tmp”DEL /F /Q “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp”
             DEL /F /Q “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer”
              

              

           • Windows Vista/7/2008
             DEL /F /Q “C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer”DEL /F /Q “C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer_tmp”DEL /F /Q “C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer_tmp”

             DEL /F /Q “C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer”
             

     Symantec Endpoint Protection
     Symantec AntiVirus

     NOTE: For migrations from Symantec AntiVirus to Symantec Endpoint Protection, be sure that the below locations do not also exist

  • Click Start, then Run
  • Type: cmd
  • Click OK

Deleting files from User Temp folder

The Quarantine Folder

•  
  •  
    •  
      • Type the following commands in the Command Prompt:
        •  
          • Windows 2000/XP/2003
            DEL /F /S /Q “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine”RD /S /Q “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine” 

          • Windows Vista/7/2008
            DEL /F /S /Q “C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine”RD /S /Q “C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine” 

    •  
      • Type the following commands in Command Prompt:
        •  
          • Windows 2000/XP/2003
            DEL /F /S /Q “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine”RD /S /Q “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine” 

          • Windows Vista/7/2008
            EL /F /S /Q “C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine”RD /S /Q “C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine” 

  Symantec Endpoint Protection
  Symantec AntiVirus

  NOTE: For migrations from Symantec AntiVirus to Symantec Endpoint Protection, be sure that the below location does not also exist

  •  
    •  
      • Type the following command in Command Prompt:
        •  
          • Windows 2000/XP/2003
            MD “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine”
          • Windows Vista/7/2008
            MD “C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine”
    •  
      • Type the following command in Command Prompt:
        •  
          • Windows 2000/XP/2003
            MD “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine”  

          • Windows Vista/7/2008
            MD “C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine”
            

  Symantec Endpoint Protection
  Symantec AntiVirus

NOTE: The following instructions are to be done from the Command Prompt as attempting to open the Quarantine folder in the Windows user interface may result in delays and Windows Explorer application hangs due to the large amount of files that can reside there.

Delete the Quarantine Folder
Recreate the Quarantine Folder

Start the Symantec service

•  
  • Click Start, then Run
  • Type: smc -start
  • Click OK
  • Click Start, then Run
  • Type: services.msc
  • Click OK
  • Right-click and Start the Symantec AntiVirus or Symantec Endpoint Protection service

Question/Issue:
Why is this error produced after uninstalling Symantec Antivirus/Endpoint? “Unable to start RRAS (Event IDs: 7023, 20070, 20151, 20063)”

Symptoms:
First Error:
Source: RemoteAccess
Event ID: 20070
Error: Point to Point Protocol engine was unable to load the C:\Program Files\Symantec\Symantec Endpoint Protection\SymRasMan.dll module. The specified module could not be found.

Second Error:
Source: RemoteAccess
Event ID: 20151
Error: The Control Protocol EAP in the Point to Point Protocol module C:\WINDOWS\System32\rasppp.dll returned an error while initializing. The specified module could not be found.

Third Error:
Source: Rasman
Event ID: 20063
Error: Remote Access Connection Manager failed to start because the Point to Point Protocol failed to initialize. The specified module could not be found.

Fourth Error:
Source: Service Control Manager
Event ID: 7023
Error: The Remote Access Connection Manager service terminated with the following error: The specified module could not be found.

Fifth Error:
If tried to restart the service from RRAS mmc, it gives the following Error: “Routing and Remote Access cannot be started because of the following error.” Please see event log for more information: The service has returned a service-specific error code. (8007042a)

Cause:
The default location of the file SymRasMan.dll is %SystemRoot%\System32\rastls.dll. On installing Symantec Antivirus or Symantec Endpoint Protection the default location is then changed and edited in the registry to C:\Program Files\SAV\SymRasMan.dll. After uninstallation this location is not reversed for Windows Server 2003 SP2 because it does create a backup of the key during the change/installation unlike Windows Small Business Server 2003

Solution:
To resolve this issue follow the steps below:

1. Click Start
2. Click Run
3. Type regedit
4. Navigate to:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13

5. Select the folder 13
6. Change the value for keys: “ConfigUiPath”, “IdentityPath”, “InteractiveUIPath” and “Path” to:
   %SystemRoot%\System32\rastls.dll

7. Navigate to:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\25
8. Select the folder 25
9. Change the value for keys: “ConfigUiPath”, “IdentityPath”, “InteractiveUIPath” and “Path” to:
   %SystemRoot%\System32\rastls.dll
10. Re-start the computer (recommended not required)
11. Start the RRAS service

Question/Issue:
Symantec Endpoint Protection Clients are installed as managed by a Symantec Endpoint Protection Manager. You need to change the clients to be unmanaged, but do not want to uninstall and reinstall the client.

Solution:
To convert the Symantec Endpoint Protection clients to unmanaged after they have been installed as managed

1. Locate the Sylink.xml file that is located on CD 1 in the SEP folder.
2. Copy the Sylink.xml file to a location that is accessible to clients on the network.
3. On the client, navigate to CD2\TOOLS\NOSUPPORT\SYLINKDROP.
   Note: CD2 may also be labeled CD3
4. Run SylinkDrop.exe on each Symantec Endpoint Protection client that needs to be converted to an unmanaged client.

Note
If the communication mode was not set for Client Control in the Symantec Endpoint Protection Manager policies during initial installation, you will not be able to change the local client policies after placing the new Sylink.xml file on the client.

This procedure changes the managed client to an unmanaged client, but will not change the policies that exist on the client. Ensure that you have the ability to change settings and run LiveUpdate on the client before changing the client to unmanaged. If you change the client to unmanaged without ensuring that you can change settings on the client , you may need to uninstall and then reinstall the client if you need to change settings in the future.

Question/Issue:

When you start Microsoft® Outlook®, you see the following message: “The add-in ‘C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vpmsece.dll’ could not be installed or loaded. This problem may be resolved by using Detect and Repair on the Help menu. Unable to load “C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vpmsece.dll”. You may be out of memory, out of system resources, or missing a .dll file.” When Symantec AntiVirus 10.x is installed, the error message may reference the file vpmsece2.dll or vpmsece3.dll. Use of the Detect and Repair option, as suggested in the error message, does not solve the problem.

Solution:

To fix the problem, find and delete all copies of the Extend.dat file on the computer. A copy of this file exists for each local user account. Then, restart the computer.

To find and delete copies of Extend.dat from a command prompt

1. Exit Outlook if the program is open.
2. On the Windows taskbar, click Start > Run.
3. In the Open box, type cmd and then click OK.
4. At the command prompt type the following command and then press Enter:

   cd “C:\Documents and Settings\<local_user>\Local Settings\Application Data”

   where <local_user> is the name of the current local user.

5. Type cd microsoft\outlook and then press Enter.

6. Type del extend.dat and then press Enter.
7. Delete the Extend.dat file for every user local account on the computer.

How to use HyperTerminal in resetting the Symantec Firewall VPN appliance through null modem cable

Question/Issue:
HyperTerminal is an easy-to-use terminal emulation program that has shipped with every version of Windows since Windows 95. HyperTerminal lets you define connections to other computers through your modem or a direct cable connection.

Solution:

1. On the back of the Symantec Firewall VPN appliance, flip DIP switch #3 to down.
2. Connect the null modem cable to the serial port on the back of the appliance and to the serial port on the back of the computer.
3. Turn on the appliance.
4. Click Start and then Programs. Click Accessories and go to Communications and then select HyperTerminal.
5. Create a new HyperTerminal connection with the following parameters:
   Connect using Direct to Com1 (or Com2), click Configure, and then select the following Port Settings:
   Bits per second 9600, Data bits 8, Parity None, Stop bits 1, Flow control None.
6. Click OK. Click OK again and then click CONNECT.

On Windows 2000 you may need to give the connection a Name first or double-click the icon to launch HyperTerminal. Also, click Yes to enable if you are prompted.

To reset the Symantec Fire VPN appliance:

1. When connected, the following setup screen appears:

   HyperTerminal 1.0 -- HyperTerminal data file
   Please do not attempt to modify this file directly.
   Setup for Symantec Firewall/VPN 200 ver. 01.4I
   =========================================
   1. Local IP Address: 192.168.0.1
   2. Local Network Mask: 255.255.255.0
   3. DHCP Server (1:Enable, 2:Disable): Enable
   4. Start IP Address: 192.168.0.0
   5. Finish IP Address: 192.168.0.254
   6. Restore to Defaults
   7. Save
   Select

   ---

   Note: If the menu fails to appear, reset the appliance while connected to it.
   

   ---

2. Select #6. The following screen appears:

   Setup for Symantec Firewall/VPN 200 ver. 01.4I
   =========================================
   == Cancel, please press 'Q' or 'q' ==
   Restore OK, but have not SAVED7
   Setup for Symantec Firewall/VPN 200 ver. 01.4I
   =========================================
   1. Local IP Address: 192.168.0.1
   2. Local Network Mask: 255.255.255.0
   3. DHCP Server (1:Enable, 2:Disable): Enable
   4. Start IP Address: 192.168.0.2
   5. Finish IP Address: 192.168.0.254
   6. Restore to Defaults
   7. Save
   Select

3. Select #7. The following screen appears:

   Setup for Symantec Firewall/VPN 200 ver. 01.4I
   =========================================
   == Cancel, please press 'Q' or 'q' ==
   Waiting...

   Setup for Symantec Firewall/VPN 200 ver. 01.4I
   =========================================
   1. Local IP Address: 192.168.0.1
   2. Local Network Mask: 255.255.255.0
   3. DHCP Server (1:Enable, 2:Disable): Enable
   4. Start IP Address: 192.168.0.2
   5. Finish IP Address: 192.168.0.254
   6. Restore to Defaults
   7. Save
   Select

4. Your Symantec Firewall/VPN appliance is now reset to original state.
5. Flip DIP switch #3 back to the up position.
6. Disconnect the null modem cable.

http://www.symantec.com/avcenter/download/pages/US-SAVCE.html

grcdrop.zip

Exchange 2003

• Exchange databases (default location: Exchsrvr\Mdbdata)
• Exchange MTA files (default location: Exchsrvr\Mtadata)
• Exchange temporary files: Tmp.edb
• Additional log files (default location: Exchsrvr\server_name .log)
• Virtual server folder (default location: Exchsrvr\Mailroot)
• Site Replication Service (SRS) files (default location: Exchsrvr\Srsdata)
• Internet Information Service (IIS) system files (<drive>:\Winnt\System32\Inetsrv or <drive>:\Windows\System32\Inetsrv)
• Working folder for message conversion .tmp files. (default location: Exchsrvr\Mdbdata)
  The location of this folder is configurable. For additional information, read the Microsoft Knowledge Base article 822936 – Message Flow to the Local Delivery Queue Is Very Slow.
• The temporary folder that is used in conjunction with offline maintenance utilities such as Eeseutil.exe.
  By default, this folder is the location from which you run the executable, but you can configure where you run the file from when you run the utility.
• The folder that contains the checkpoint (.chk) file.
  For information on the location of this file, read the Microsoft Knowledge Base article Overview of Exchange Server 2003 and Antivirus Software.
• Site Server Gatherer temporary directory (<drive>:\Windows\Temp\Gthrsvc), if it exists.
• All of the appropriate folders listed in the next section, “When the following Symantec products are installed, exclude the following folders”