Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Symantec end point "protection"


  • Please log in to reply
12 replies to this topic

#1 wiczjr

wiczjr

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 29 June 2011 - 04:13 PM

Symantec end point protection generates these files after it 'removed' a threat, and it sees its own files that it generates as infections, lol. This was after we upgraded the county to 11.0.6300 the other week. I think Norton has a 'bug restore' feature in their programming because this problem was supposedly fixed some time ago. Brilliant.

I wish they would just let us deploy ESET through labtech. No idea why they're stuck on Symantec so badly (a $$ incentive maybe?), and they've been plagued by malware constantly. What to do what to do?
Both faith and fear may sail into your harbour, but only allow faith to drop anchor.

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:12:11 AM

Posted 29 June 2011 - 04:53 PM

What files are created?

#3 wiczjr

wiczjr
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 29 June 2011 - 05:04 PM

DWH****.tmp files
Both faith and fear may sail into your harbour, but only allow faith to drop anchor.

#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:12:11 AM

Posted 29 June 2011 - 06:45 PM

Anything can create those files, do you think you are infected?

#5 wiczjr

wiczjr
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 30 June 2011 - 09:16 AM

Anything can create those files, do you think you are infected?


No; this is a known issue with symantec end point protection, nothing will arbitrarily create DWH****.tmp files other than symantec and the computer in question is the file server for one of the local counties. They did have a minor infection which I've care of. Taking care of an infection on a server is a whole other animal than from someone's home computer or a workstation; any advice you give on here will more than likely break a server. You really have to be careful because most scanners actually think that a lot of registry entries and files that are normal for server 08 r2 are infections. That's why you have to install your end point protection server on the server for whatever vendor you're using (we mostly work with ESET) and create a custom script tailored around the customer. Especially when you get into government agencies with outdated software that they NEED and will ONLY work on either xp or a certain version of flash player (it gets pretty complicated). If you arbirtarily run updates or random MBAM scans you're asking for trouble on large scale institutions.

For example, MBAM (and most malware scanners) will "correct" registry keys that turn off notifications about outdated AV definitions or the firewall being turned off or whatever. We deliberately do this for our larger sites because we have MSP software installed that will give US the notification and if the end user sees the notification he or she will probably click on something they're not supposed to. We deliberately hold back some MS updates on certain workstations because it will break their outdated accounting software that they still use. If they were notified that there was an update, they might do it themselves and cause more work for us in the long run.

I posted this to mock/laugh at Symantec, have a friendly discussion with maybe someone else who's had issues with Symantec and to blow off a little steam. That is all. I don't need amateur advice or anything like that but I appreciate the offer. This is my 2nd day on these forums and every time I try to post a friendly discussion about something like this I get a know-it-all who tries to give me advice "anything can creat those files" ...that's quite the assertion. It's pretty annoying.
Both faith and fear may sail into your harbour, but only allow faith to drop anchor.

#6 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:12:11 AM

Posted 30 June 2011 - 09:38 AM

It is true anything can create those temp files anything from Windows running, certain applications, installation programs for applications, general use of the computer, and anyrthing else that runs on a computer. Names of Temp Files are specific to one computer, and quite honestly I am not a know it all, and you post on a forum that deals with computer technical support. So by all means you posted here asked a question, and wanted to receive help.

Also I am not a know it all, and I take great offense to that insult. I would advise that when you post take into consideration where you are posting, and how you are posting.

Also as an IT professional, I would highly recommend dropping Symantec and move onto a much better solution.

Also your end users should not be getting these popup's in a properly maintained corporate environment Security Center would not be allowed to be ran, and the proper setup and installation of Norton / Symantec Enterprise Server that automatically pushes out definitions would keep all systems updated, and the popup's from reoccurring. Your IT Department or you need to re-evaluate how your network is set up, and the roles the user accounts are given. If your computer users are administrative, gthen that will be issue that you need to solve and do it fast. No one but Domain Managers should be admins on the network, and they should have 2 accounts. One for General use when they are not maintaining the network and infrastructure, and one for domain administration.

Also in your post about this issue you provided no evidence or links in your original message, which would have lead to a more friendly discussion about the issue and about the company that is Symantec and how their programs are not very useful. So in the future if you want friendly discussion on something, and instead of advise post evidence and post about what you want to discuss other wise on these forums you will be treated as someone seeking help to solve a issue that you are having.

#7 wiczjr

wiczjr
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 30 June 2011 - 09:55 AM

Why do you continue to give me your amateur advice? All the points that you just brought up have been explained (as if I have to explain to you in the 1st place?

I would LOVE to switch from symantec, the customer won't budge despide the evidence.

Your illustration about our IT dept re-evaluating is complete nonsense. In the non-fantasy world, the hundreds of workstations at this particular site would be left on so we could push the updates daily (some users like to shut the stations down despite what we tell them), grandma wouldn't download turkeyscreensaver.scr with a virus at thanksgiving day, and their exchange server would magically block every instance of spam and phishing attemps that the employees fall for from time to time. Thanks for quoting best practices though, I can see that you have no field experience.

What you said about security center not being allowed to run just reinforces the fact that you paid no attention to my post. The entire point of what I said is that we DONT let it run but most of your scanners see that fact as a threat. There are no popups recurring! There would be if we let SC run. We DONT push every single update because it would break their proprietary software!

Sorry you're offended, sorry I'm offended. I just wanted to relate to someone with how crappy symantec was.
Both faith and fear may sail into your harbour, but only allow faith to drop anchor.

#8 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:12:11 AM

Posted 30 June 2011 - 10:08 AM

Malwarebytes, Super Anti-Apyware and tools we recommend here are for the Home User and not the Corporate Environment, also how do you push out Windows Updates when the machines are off? Do each user out at this site perform the Windows Update's themselves?

You and your IT Department need to strictly enforce the policy the to leave the workstations on, because updates need to be made. I have plenty of field experience, and I have had to manage a network of over 25K Computers that span the United States and several foreign countries.

So if you and your IT Department are running tools that are meant to be ran in a residential setting, then there is something wrong. You should have an active domain policy that prevents security center from popping up at all. Where I work, updates are pushed out, and our machines are left on. We normal users do not get prompted with the popups stating our Anti-Virus Scanning software is outdated.

So no my comment about your IT Department is not non-sense.

And with that good luck maintaining your Network Infrastructure. I see several failures in it, but will not consult you on those.

#9 wiczjr

wiczjr
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 30 June 2011 - 10:28 AM

Once again, I illustrated to you the reasons why we DON'T run residential programs within the corporate environment. Why do you assert that we do?

Once again, I told you the reasons why pop ups are not a problem and only used the MBAM instance as a mere example. Why do you assert that we have a problem with pop ups?

Once again, we can't push windows updates with the machines are off. Our MSP software will tell us a system is out of date once it comes back online and we handle it once we receive the alert.

You might be misunderstanding our role; we're an MSP provider who's contracted to handle the local government agencies and about 30 other businesses in the area. We have to attend IT meetings and there are a LOT of politics involved, especially when it comes to IT policy. The current policy is for the users to leave their computers on all the time, but for some reason or another they don't. Since you seem compelled to give me advice constantly, do you have any advice there?

We have no problems with this network other than the symantec bug. Why do you assume that we're plagued with issues? Because I was griping about a known bug?
Both faith and fear may sail into your harbour, but only allow faith to drop anchor.

#10 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:12:11 AM

Posted 30 June 2011 - 10:41 AM

I am saying you are plagued by issues by the fact on how you present your argument. First you should not being up how Mbam and other residential scanners fix registry entries allowing the popup, because to me that sounds like you are running those tools and are having issues with popups being generated by security center to users that their definitions are out of date that information was misleading, and therefore un-needed to be presented in your argument. If you are the MSP for this company / small business simply tell them that you will not support them if they have issues with their computers not being fully updated because people power off their machines at night. that will light a fire under their belt, because then who would they go to for support. Also let them know that that if multiple computers are turned off and not updated and once they get the updates network speed can be degraded and can affect other people who follow the right IT Policy, and force them to take systems off the network that are not updated. That poses a huge security risk to the rest of the infrastructure. that is all the advice I am going to give you.

#11 wiczjr

wiczjr
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 30 June 2011 - 10:49 AM

I was merely explaning to you as to why you don't use the virus removing methods on this web site to remove a virus from a server when you offered the advice. It was a thanks but no thanks.

My post was meant to gripe about symantec and maybe start a discussion about people who've had similar problems and laugh about it. I didn't want any advice; sorry your ego got in the way.
Both faith and fear may sail into your harbour, but only allow faith to drop anchor.

#12 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:12:11 AM

Posted 30 June 2011 - 10:56 AM

And with your last remark good luck in life.

#13 wiczjr

wiczjr
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:06:11 PM

Posted 30 June 2011 - 11:02 AM

And with your last remark good luck in life.


I've had great luck and much success. Good luck to you too, sir.
Both faith and fear may sail into your harbour, but only allow faith to drop anchor.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users