SEP 14.2 RU2 detects “Download Insight” on O365 Pro Plus Update

I need a solution

Hi everyone,

our SEP detects a download insight when O365 Pro Plus tries to get its updates.

The tmp file name varies every time. We are getting Helpdesk calls about it and i want them to stop. 

After checking 5 clients i’m sure that this file relates to the Office Updates (Semi Annual) as there is a log file from O365 ProPlus with the same timestamp.

When will these files are trustworthy?

Best regards

Stephan

0

Related:

External logging in SEPM with Failover configuration

I need a solution

My company has two SEPMs and we’re trying to configure External Logging.  We have the primary SEPM configured to export logs to a dump file and our SIEM agent is ingesting the logs in the dump files. As long as the SEMP in datacenter a is active it writes logs to the *.tmp files in the dump directory.  If the SEPM in datacenter b becomes active, it does not write logs to the *.tmp files in the dump directory.  How do we make sure that whichever SEMP is active write *.tmp files in the dump directory(C:Program Files (x86)SymantecSymantec Endpoint Protection Managerdatadump)?

0

Related:

SEP SBE Cloud – 2 separate virus alerts

I need a solution

Hey

I’ve gotten 2 similar virus alerts recently and it is unclear from where they originate. It’s a small business with 1 LAN, 10 users and 15 PCs running Win7Pro 32bit. 

One alert says: 
Source: External Media

…and there is no guidance on how to interprete that, eg if its USBs & CDs or just a generic term for something.

The other alert is not logged in the client logs, which is odd. I just have the alert email and cloud log.
It is not unheard of that hapless endusers try to remove evidence of errors in order to escape the wrath of some management, though.
-> Deliberate malicious removal of log entries is not a top suspect. 

Nevertheless, 2 alerts with similar patterns with no clear indication of their origin is… “interesting”.

So, what does 
Source: External Media
actually indicate in this context

…and any pointers or information on what kind of relevant activity happens in files like

Infected file: c:WindowsSystem32 00026202.tmp Removed
Infected file: c:WindowsSystem32 00009493.tmp Removed

Infected file: c:WindowsSystem32 00012746.tmp Removed

Infected file: c:WindowsSystem32 00012652.tmp Removed

Infected file: c:WindowsSystem32 00032759.tmp Removed

Infected file: c:WindowsSystem32 00012277.tmp Removed

…is appreciated. 

cheers

Erik

1. 

———————————-

Filename: 00026202.tmp

Threat name: DownloaderFull Path: c:WindowsSystem320026202.tmp

 

____________________________

 

____________________________

 

 

On computers as of 

2018-10-31 at 12:10:40

 

Last Used 

2018-10-31 at 12:13:22

 

Startup Item 

No

 

Launched 

No

 

Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.

 

 

____________________________

 

 

00026202.tmp Threat name: Downloader

Locate

 

 

Very Few Users

Fewer than 5 users in the Symantec Community have used this file.

 

Very New

This file was released less than 1 week  ago.

 

High

This file risk is high.

 

 

____________________________

 

 

Source: External Media

 

Source File:

00026202.tmp

 

____________________________

 

File Actions

 

Infected file: c:WindowsSystem32 00026202.tmp Removed

Infected file: c:WindowsSystem32 00009493.tmp Removed

Infected file: c:WindowsSystem32 00012746.tmp Removed

Infected file: c:WindowsSystem32 00012652.tmp Removed

Infected file: c:WindowsSystem32 00032759.tmp Removed

Infected file: c:WindowsSystem32 00012277.tmp Removed

2. 

————————————————-

A high-risk incident was detected .[… edited …]

Incident Details

00032053.tmp (Trojan.Dropper) detected by Virus scanner

Threat Name

Trojan.Dropper

Threat Type

Virus

File Name

c:windowssystem320032053.tmp

Action Required

To resolve this security risk a reboot is required

0

Related:

  • No Related Posts

Can not delete file after AV policy triggered and denied access to file

I need a solution

Hello,

I was testing our AV policy with Symantec Data Center Security on one of our VMs.

I ran an Eicar file on the server to trigger the event and the policy caught this and created two .TMP files in the directory where the file was being downloaded to.

Now I want to delete to take action on these files but I see no way of deleting or restoring the file. The only option in the DCS portal is to whitelist or add a tag to the server. If I try to delete the files on the server it triggers the alert again.

Our AV policy is set to “Deny Access”, I would like to avoid delete and quarentine if possible.

Thoughts?

-Mike

0

Related:

VNX: CAVA error VC: 3: 32: Server ‘x.x.x.x’ returned error ‘FAIL’ when checking file

Article Number: 480920 Article Version: 2 Article Type: Break Fix



VNX Event Enabler,VNX1 Series,VNX2 Series,Celerra

While virus checking is running, in the logs an error indicating that the VC service has failed to check it:

2016-03-29 11:38:44: VC: 3: 32: Server ‘x.x.x.x’ returned error ‘FAIL’ when checking file ‘root_vdm_idmount_pathfilename.ext’

The ‘FAIL’ message occurs when a scan request is opened (the VC service on the data mover sends a request to the CAVA servers) and when the CAVA server tries to open it the file is not found. This means that the file was deleted before it could be scanned. There are some scenarios where this could happen:

  • One way this occurs is if the file was a cookie, temporary file, or lock file. Microsoft office, for example, creates temporary files that follow the format ~$<original_filename.xxxx>. These files normally disappear when the file is saved or closed, and if this happens quickly the file can disappear before it has a chance to be scanned, leading to the FAIL message in the data mover log. The filenames that are failing scans usually identify this as the source of the issue.
  • Another way this can occur is if the file has a special ‘disposition’ on it. In SMB and SMB2 the user can set a disposition ‘delete on close’ when opening a file. If the file that is referred for scanning is opened by another user with this disposition set, the file is deleted before it can be scanned, leading to the FAIL message in the data mover logs. This option can be seen in packet traces by looking at SMB ‘Create’ or ‘SetInfo’ calls, but will be set by the user doing the deleting, and probably not the CAVA servers. This can make things difficult because normal traffic must be monitored (not just the AV server) to determine who is setting the flag.

The best resolution is to stop what is deleting the file (the external users deleting the file). This may mean disabling the use of temp files in office, or storing other temp files or cookies to a local directory instead of a shared one. If this cannot be done, then alter viruschecker.conf to exclude these types of files from being checked by altering the ‘excl’ line to exclude ~$*.* (for office files), *.tmp or any other extension that may be causing these errors.

viruschecker.conf:

CIFSserver=<CIFS server on data mover>

addr=<configured CAVA servers>

excl=~$*.*:*.accdb:*.laccdb:*.ldb:*.mdb:*.pst:*.tmp:????????

masks=*.*

shutdown=viruschecking

additional resources:

https://support.microsoft.com/en-us/kb/211632 (Description of how Word creates temporary files)

https://wiki.wireshark.org/SMB2/SMB2_FILE_DISPOSITION_INFO (SMB2_FILE_DISPOSITION_INFO addresses ‘delete on close’) feature

Related:

Requesting information on log and dump files external logging

I need a solution

We are moving off of Splunk and over to Elastic using filebeat to transfer we have it setup and working. I see the tmp files being updated every five minutes in teh datadump directory  which I think corresponds to the hearbeat setting but the log files are not being updated that frequently. How often should data be moved from tmp to log? I there any documentation on this I have looked at the admin guide and have not found any specifics on it.

our version on both SEPM and the Clients is 14 MP2 14.0.2415.0200

Thanks

Stan

0

Related:

  • No Related Posts

External logging does not update log files

I need a solution

Hi,

We have made external reporting setup to be able to send log files to splunk.

However we notice that the log file is not updating. The update frequency is set to 30 seconds and we can see .tmp file being updated but not the log file.

Any idea how we can change the settings so it is updating frequently.

Kind regards

0

Related:

Backup creation failed with “No space left on device” error

We are trying to backup (config save apiconfig sftp ) the API connect config before the upgrade and gettng below error

“mktemp: failed to create directory via template `/tmp/dbutil.XXXXXX’: No space left on device
/opt/ibm/informix/apim/dbutil.sh: line 406: cannot create temp file for here-document: No space left on device”

But we have enough backup space (100MB) and disk space available (50%).

Related:

  • No Related Posts

7022427: Saving changes to Excel files in Filr folders can lead to 0KB files

This document (7022427) is provided subject to the disclaimer at the end of this document.

Environment

Micro Focus Filr 3.2

Micro Focus Filr Desktop client for Windows

Situation

Filr Desktop client users making and saving changes to Excel files (.xlsx or .xls) in Filr folders, may encounter a rare condition where the save operation results in additional files to show up in their Filr folder that are 0KB in size. The temporary files have the same name as the original Excel file name but with 0KB size.

Further, these temporary 0KB files are not synchornized back to the Filr server and remain as local files on the end user’s system inside the Filr folder where they were originally generated. If the user tries to open these files, or delete them they are presented with access denied errors such as:

Cannot access read-only document ‘C:UsersjdoeFilrMy Filesfolder1123.xlsx’

You’ll need to provide administrator permission to delete this file: ‘C:UsersjdoeFilrMy Filesfolder1123.xlsx’

The only way to clean-up these 0KB files is by re-installing the Filr Desktop client for the user.

Resolution

A fix for this issue is available in the Filr 3.3 Update. The fix will prevent creation of such 0KB files, however any files currently in this state will need to be cleaned up by re-installing the Filr Desktop client.

Cause

Mismatching number of open and close operations which lead to non execution of delete command on all temporary files.

Additional Information

See also: Another similar issue that may occur when using MS Excel with Filr, TID 7021137 – Filr Desktop client leaves behind tmp files that cannot be opened or removed.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented “AS IS” WITHOUT WARRANTY OF ANY KIND.

Related:

IIB_XA in /tmp dir

How can I change the location of XA temporary files started with “IIB_XA_*”
Our current location is “/tmp”, see:

[root@olas3749 Installation1]# ls /tmp/II*
/tmp/IIB_XA_BOLAS3749O1_4b936fb6-f0f5-4731-8d63-352d6186fda8.uds /tmp/IIB_XA_BOLAS3749O2_30fa684e-be4e-4ee0-9cb9-ba4e4451e447.uds
/tmp/IIB_XA_BOLAS3749O1_a18a8053-b29e-4670-97bd-a543de7e6742.uds /tmp/IIB_XA_BOLAS3749O2_4f0ee4f1-7cbb-4051-9079-a91b4180fe14.uds
/tmp/IIB_XA_BOLAS3749O1_ca3e181c-a1b6-4430-9a97-94e206e65f12.uds /tmp/IIB_XA_BOLAS3749O2_b901f3e9-370b-4c13-883d-15e9bb7c2621.uds
/tmp/IIB_XA_BOLAS3749O1_e2ec3653-8783-4078-a096-b22dcf936675.uds /tmp/IIB_XA_BOLAS3749O3_2312f23f-2d89-4727-8d42-cf900f173ec4.uds
/tmp/IIB_XA_BOLAS3749O2_1edeaaba-f982-44fc-8d6c-e8d25902239b.uds /tmp/IIB_XA_BOLAS3749O3_771b3121-e803-44cd-897c-f058ccc27e81.uds

Related: