'레퍼런스/백신'에 해당되는 글 1건
- 2012.10.05 [시만텍] dwf~.tmp 파일 반복 탐지 대응/조치
시만텍 백신을 사용하던 중, 새로운 바이러스 정의 위체에 있는 검역을 스캔하면서 .dwf 파일이 반복적으로 자동보호에 의해 감지되면서 하루에도 수백건의 탐지로그를 뿌리는 에러가 발견되기도 한다.
이럴때, 대응할 수 있는 조치방안을 Symantec에서는 아래와 같이 기술하였다.
참고하자.
□ URL: http://www.symantec.com/business/support/index?page=content&id=TECH102953&locale=en_US
When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect
| Article:TECH102953 | | | Created: 2007-01-19 | | | Updated: 2012-07-10 | | | Article URL http://www.symantec.com/docs/TECH102953 |
Problem
1. DWH files are created and flagged as malicious by Symantec Endpoint Protection's Auto-protect.
2. Items in quarantine double every time new definitions arrive.
Error
No specific "Errors" are logged, as these detections are valid.
Cause
When the virus definitions are updated in the Symantec Endpoint Protection (SEP) client or the Symantec AntiVirus Corporate Edition (SAVCE) client, there is an option to "Rescan the Quarantine".
This enables the SAVCE/SEP client to inspect the files stored in the local quarantine and verify if any of them can be repaired with the updated AV signatures.
When the files were originally quarantined, they were compressed and encrypted to ensure that the stored version cannot continue to infect the local machine. Consequently, the SAVCE/SEP client must extract the original file(s) from this quarantine packaging before it can be re-scanned.
During this file extraction process, a temporary file - named DWHxxxx.tmp - is created in the working directory of the SAVCE/SEP client. This is typically within the "%App Data%\Symantec\" folder, but in certain older builds of SEP and SAVCE, it may also use the windows "%TEMP%" folder.
Normally, this temporary file will not be scanned by the SAVCE/SEP Auto Protect function because SEP is already handling the file, i.e. SEP knows that it owns the file. However, if a third-party process accesses that file while it is being created, the SEP Auto Protect function will intercept this file access and will declare the file as un-trusted because another process, possibly malicious, had accessed the file.
This will cause the file to be seen as a "new" file and un-trusted. Accordingly, the file will be scanned. This results in an already quarantined and infected file getting re-scanned. Additionally, it will be treated as a suspect file and quarantined, resulting in a duplicate file being added to the local quarantine.
Finally, as each definition set is received by the SEP or SAVCE client and the local quarantine is re-scanned, the above process repeats, and the contents of the local quarantine are doubled.
Solution
The issue of multiple DWH files being created and retained has been improved in SEP 11 Release Update 7 Maintenance Patch 2 (RU7 MP2) and SEP 12.1 RU1 MP1. Please see Migrating to Symantec Endpoint Protection 11.0.7200 (RU7 MP2) or Upgrading or migrating to Symantec Endpoint Protection 12.1.1101 (RU1 MP1) for details on how to apply this update.
Based on the severity of the detections, there are some known workarounds that should resolve the issue. These are listed in order of preference:
- Disable rescanning of the local quarantine upon receipt of new virus definitions.
-
Open the Antivirus and Antispyware policy > Windows Settings > Quarantine > General
-
Under "When New Virus Definitions Arrive" choose Do nothing".
In SEP 12.1 versions, this policy will be called Virus and Spyware Protection and Quarantine will be under Advanced Options.
-
-
Limit the size of the Quarantine folder.
-
In the right-hand panel, on the Cleanup tab, under Quarantined Files, check Enable automatic deleting of quarantined files that could not be repaired (default: Delete after 30 days) and Delete oldest files to limit folder size at: (default 50 MB).
-
Click Ok and, if needed, assign the policy.
-
-
Ensure that no processes or services (such as Windows Indexing Service for example) can access or monitor SAVCE or SEP files.
-
Ensure that the "%TEMP%" folder is not open when virus definitions are updated.
-
Restart in safe mode, delete *.DWH files in the temporary folder, and empty the quarantine folder.
If the quarantine, temporary directories, or xfer_temp folders have gotten too big for Windows to open or clear the contents, it may be necessary to do this from a command prompt. Symantec also has a tool called SymDelTmps which can help delete the temporary files on a machine that is difficult to work with. Please contact Technical Support and ask for this utility if you would like to use it.
The instructions below are for a standard installation. If the client is installed somewhere other than the default location, please be sure to change the path for the files and folders in the commands below. The commands will vary based on operating system, so choose the command that is appropriate for your computer.
Deleting files from User Temp folder
Type the following command in Command Prompt. (The following string will vary depending on the user name.) Replace "<NAMEOFUSER>" with the username of the desired Windows user you wish to empty the temp folder for:
Windows 2000/XP/2003:
DEL /F /Q "C:\Documents and Settings\<NAMEOFUSER>\Local Settings\Temp"
Windows Vista/7/2008:
DEL /F /Q "C:\Users\<NAMEOFUSER>\AppData\Local\Temp"
Deleting the contents of the temp folder at the root of C:\
Type the following command in Command Prompt:
DEL /F /Q C:\temp
Deleting the contents of the Windows Temp folder
Type the following command in Command Prompt:
DEL /F /Q C:\WINDOWS\Temp
Deleting the contents of the xfer and/or xfer_temp directories
Type the following command in Command Prompt:
Windows 2000/XP/2003:
SEP 11.x
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp\"
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\"
SEP 12.1
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<silo>\Data\xfer_tmp\"
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<silo>\Data\xfer\"
Windows Vista/7/2008:
SEP 11.x
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer_tmp\"
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\xfer\"
SEP 12.1
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\<silo>\Data\xfer_tmp\"
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\<silo>\Data\xfer\"
The Quarantine Folder
Note: The following instructions are to be done from the Command Prompt as attempting to open the Quarantine folder in the Windows user interface may result in delays and Windows Explorer application hangs due to the large amount of files that can reside there.
Delete the Quarantine Folder
Type the following commands in the Command Prompt:
Windows 2000/XP/2003:
SEP 11.x
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\"
RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\"
SEP 12.1
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<silo>\Data\Quarantine\"
RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<silo>\Data\Quarantine\"
Windows Vista/7/2008:
SEP 11.x
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\"
RD /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\"
SEP 12.1
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\<silo>\Data\Quarantine\"
RD /S /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\<silo>\Data\Quarantine\"
Recreate the Quarantine Folder
Type the following commands in the Command Prompt:
Windows 2000/XP/2003:
SEP 11.x
MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\"
SEP 12.1
MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\<silo>\Data\Quarantine\"
Windows Vista/7/2008:
SEP 11.x
MD "C:\ProgramData\Symantec\Symantec Endpoint Protection\Quarantine\"
SEP 12.1
MD "C:\ProgramData\Symantec\Symantec Endpoint Protection\<silo>\Data\Quarantine\"
Start the Symantec Endpoint Protection
1. Click Start, then Run
2. Type: smc -start
3. Click OK
NOTE: It is important to recognize that there are applications, such as Windows Indexing Service, that routinely attempt to touch each file.
Other known applications are Backup applications. In these cases, if that application can make an exclusion for *.DWH, it is strongly advised to implement that exclusion.
