Posts Tagged ‘Symantec’

Large numbers of .tmp files are being created in the xfer_tmp or 7.5/xfer folder

Tuesday, August 3rd, 2010

Large numbers of .tmp files are being created in the xfer_tmp or 7.5/xfer folder and are being detected as threats.

Question/Issue:
After Symantec Endpoint Protection detects an infection, the xfer_tmp folder generates a large number of temporary (.tmp) files. How can I get this to stop?

After Symantec AntiVirus detects an infection, the 7.5\xfer and/or 7.5\xfer_temp folders starts generating numerous temporary (.tmp) files. How can I get this to stop?

After a migration from Symantec AntiVirus to Symantec Endpoint Protection the xfer_tmp folder starts generating a large number of .tmp files. How can I get this to stop?

Symptoms:
Large numbers of temporary (.tmp) files are generated in any of the following locations:

Symantec Endpoint Protection

  •  
    •  
      • C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp
      • C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer
    •  
      • C:\Program Data\Symantec\Symantec Endpoint Protection\xfer_tmp
  • Windows 2000/XP/2003
    Windows Vista/7/2008

Symantec AntiVirus

    NOTE: The following file locations may still be relevant in a migration scenario from Symantec AntiVirus to Symantec Endpoint Protection

 

  •  
    •  
      • C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer
      • C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer_tmp
    •  
      • C:\Program Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer
      • C:\Program Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer_tmp

  • Windows 2000/XP/2003
    Windows Vista/7/2008

Solution:


To take advantage of code improvements which make such detections much less likely, please ensure that the latest release of SEP 11 or SAV is installed on the client .
If such detections continue after deleting old .tmp files and updating to SAV_CE 10.1 MR9 or SEP 11 RU6a, see the following:

Stop the Symantec service

  •  
    • Click Start, then Run
    • Type: smc -stop
    • Click OK
    • Click Start, then Run
    • Type: services.msc
    • Click OK
    • Right-click and Stop the Symantec AntiVirus or Symantec Endpoint Protection service
  • Symantec Endpoint Protection
    Symantec AntiVirus

Deleting the files

    NOTE: The following instructions are to be done from the Command Prompt as attempting to perform the deletions from the Windows user interface may result in delays and application hangs due to the large amount of files that can reside in these locations. Please note that these instructions will delete the files in the targeted directories, not the directories themselves. Do not remove the directories themselves, only the contents of those directories.Open the Command Prompt
  •  
    1. Type the following command in Command Prompt. (The following string will vary depending on the user name.) Replace “<NAMEOFUSER>” with the username of the desired Windows user you wish to empty the temp folder for:
      •  
        • Windows 2000/XP/2003
          DEL /F /Q “C:\Documents and Settings\<NAMEOFUSER>\Local Settings\Temp”
        • Windows Vista/7/2008
          DEL /F /Q “C:\Users\<NAMEOFUSER>\AppData\Local\Temp”
    2. Deleting the contents of the temp folder at the root of C:\

      •  
        • Type the following command in Command Prompt:DEL /F /Q C:\temp
    3. Deleting the contents of the Windows Temp folder

      •  
        • Type the following command in Command Prompt:DEL /F /Q C:\WINDOWS\Temp
    4. Deleting the contents of the xfer and/or xfer_temp directories
      •  
        • Type the following command in Command Prompt:
          •  
            • Windows 2000/XP/2003
              DEL /F /Q “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp\”DEL /F /Q “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\” 

            • Windows Vista/7/2008
              DEL /F /Q “C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer_tmp\”DEL /F /Q “C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer\” 

        • Type the following commands in command prompt:
          •  
            • Windows 2000/XP/2003
              DEL /F /Q “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer”DEL /F /Q “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer_tmp”DEL /F /Q “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp”

              DEL /F /Q “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer”
               

               

            • Windows Vista/7/2008
              DEL /F /Q “C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer”DEL /F /Q “C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer_tmp”DEL /F /Q “C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer_tmp”

              DEL /F /Q “C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer”

      • Symantec Endpoint Protection
        Symantec AntiVirus

        NOTE: For migrations from Symantec AntiVirus to Symantec Endpoint Protection, be sure that the below locations do not also exist

    • Click Start, then Run
    • Type: cmd
    • Click OK
  • Deleting files from User Temp folder

The Quarantine Folder

  •  
    •  
      •  
        • Type the following commands in the Command Prompt:
          •  
            • Windows 2000/XP/2003
              DEL /F /S /Q “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine”RD /S /Q “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine” 

            • Windows Vista/7/2008
              DEL /F /S /Q “C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine”RD /S /Q “C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine” 

      •  
        • Type the following commands in Command Prompt:
          •  
            • Windows 2000/XP/2003
              DEL /F /S /Q “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine”RD /S /Q “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine” 

            • Windows Vista/7/2008
              EL /F /S /Q “C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine”RD /S /Q “C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine” 

    • Symantec Endpoint Protection
      Symantec AntiVirus

      NOTE: For migrations from Symantec AntiVirus to Symantec Endpoint Protection, be sure that the below location does not also exist

    •  
      •  
        • Type the following command in Command Prompt:
          •  
            • Windows 2000/XP/2003
              MD “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine”
            • Windows Vista/7/2008
              MD “C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine”
      •  
        • Type the following command in Command Prompt:
          •  
            • Windows 2000/XP/2003
              MD “C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine”  

            • Windows Vista/7/2008
              MD “C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine”
    • Symantec Endpoint Protection
      Symantec AntiVirus

  • NOTE: The following instructions are to be done from the Command Prompt as attempting to open the Quarantine folder in the Windows user interface may result in delays and Windows Explorer application hangs due to the large amount of files that can reside there.

    Delete the Quarantine Folder
    Recreate the Quarantine Folder

Start the Symantec service

  •  
    • Click Start, then Run
    • Type: smc -start
    • Click OK
    • Click Start, then Run
    • Type: services.msc
    • Click OK
    • Right-click and Start the Symantec AntiVirus or Symantec Endpoint Protection service


 

 


Unable to start Routing and Remote Access Server (RRAS) (Event IDs: 7023, 20070, 20151, 20063) after uninstalling Symantec Antivirus/Symantec Endpoint Protection

Saturday, April 17th, 2010

Question/Issue:
Why is this error produced after uninstalling Symantec Antivirus/Endpoint? “Unable to start RRAS (Event IDs: 7023, 20070, 20151, 20063)”

Symptoms:
First Error:
Source: RemoteAccess
Event ID: 20070
Error: Point to Point Protocol engine was unable to load the C:\Program Files\Symantec\Symantec Endpoint Protection\SymRasMan.dll module. The specified module could not be found.

Second Error:
Source: RemoteAccess
Event ID: 20151
Error: The Control Protocol EAP in the Point to Point Protocol module C:\WINDOWS\System32\rasppp.dll returned an error while initializing. The specified module could not be found.

Third Error:
Source: Rasman
Event ID: 20063
Error: Remote Access Connection Manager failed to start because the Point to Point Protocol failed to initialize. The specified module could not be found.

Fourth Error:
Source: Service Control Manager
Event ID: 7023
Error: The Remote Access Connection Manager service terminated with the following error: The specified module could not be found.

Fifth Error:
If tried to restart the service from RRAS mmc, it gives the following Error: “Routing and Remote Access cannot be started because of the following error.” Please see event log for more information: The service has returned a service-specific error code. (8007042a)

Cause:
The default location of the file SymRasMan.dll is %SystemRoot%\System32\rastls.dll. On installing Symantec Antivirus or Symantec Endpoint Protection the default location is then changed and edited in the registry to C:\Program Files\SAV\SymRasMan.dll. After uninstallation this location is not reversed for Windows Server 2003 SP2 because it does create a backup of the key during the change/installation unlike Windows Small Business Server 2003


Solution:
To resolve this issue follow the steps below:

  1. Click Start
  2. Click Run
  3. Type regedit
  4. Navigate to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13

  5. Select the folder 13
  6. Change the value for keys: “ConfigUiPath”, “IdentityPath”, “InteractiveUIPath” and “Path” to:
    %SystemRoot%\System32\rastls.dll

  7. Navigate to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\25
  8. Select the folder 25
  9. Change the value for keys: “ConfigUiPath”, “IdentityPath”, “InteractiveUIPath” and “Path” to:
    %SystemRoot%\System32\rastls.dll
  10. Re-start the computer (recommended not required)
  11. Start the RRAS service