Статьи

I'm encountered two issues with the ProgramData\Symantec\SAVCorp\7.5\xfer folder.  I've only seen this on two Vista SP1 machines, one Business, one Ultimate both 32-bit, both Domain members but unmanaged.
 
First, SEP repeatedly detects risks in the xfer folder.  I thought this folder had to do with Quarantine, so why would SEP detect the obvious?
 
Second, and possibly related to the first, the folder grows beyond all belief.  I noticed this on the Business client when a 25GB partition had less than 1GB of free space, when it should have only been half full.  The xfer directory in this case had grown to roughly 9GB with over 300 thousand files.  It was so large that it was a pain to empty.  Trying to view Quarantine caused the program to hang.  It took several minutes to even browse th folder, as the hundreds of thousands of files caused explorer to take nearly 10 minutes to enumerate the files.
 
The Ultimate client had even more issues, with over 600 thousand files and 20GB of space taken up!  The only way to get back to some semblance of normalcy was to uninstall SEP (which cleared out the Quarentine files) and then reinstall.
 
Part of the reason is my fault, since I hadn't set the purge options for Quarantine.  Strangely, on my managed clients, without even setting an option it defaulted to deleting items older than 30 days.  The unmanaged clients didn't even have the 30 day option set.  Both now have the 30 day and 50MB options set, which should prevent the issue going forward (other than detecting risks in the xfer folder).
 
Any thoughts as to what's going on, particularly with the first issue?



Question/Issue:
After Symantec Endpoint Protection detects an infection the xfer_tmp folder starts to generate a large amount of temp files. How can I get this to stop?

After Symantec AntiVirus detects an infection the 7.5\xfer and/or 7.5\xfer_temp folders starts to generate a large amount of temp files. How can I get this to stop?

After a migration from Symantec AntiVirus to Symantec Endpoint Protection the xfer_tmp folder starts to generate a large amount of temp files. How can I get this to stop?

Symptoms:
Large amounts of temp files are generated in the following locations:

Symantec Endpoint Protection

  •  
    •  
      • C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp
    •  
      • C:\Program Data\Symantec\Symantec Endpoint Protection\xfer_tmp
    • Windows 2000/XP/2003
    Windows Vista/2008


Symantec AntiVirus

NOTE: The following file locations may still be relevant in a migration scenario from Symantec AntiVirus to Symantec Endpoint Protection

  •  
    •  
      • C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer
      • C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer_tmp
    •  
      • C:\Program Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer
      • C:\Program Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer_tmp

    • Windows 2000/XP/2003
    Windows Vista/2008

Solution:
  1. Stop the Symantec service

    • Symantec Endpoint Protection
      •  
        1. Click Start, then Run
        2. Type smc -stop
        3. Click OK
    • Symantec AntiVirus
      •  
        1. Click Start, then Run
        2. Type services.msc
        3. Click OK
        4. Right-click and Stop the Symantec AntiVirus service
  2. Deleting the files
    The following instructions are to be done from the command prompt as attempting to perform the deletions from the Windows user interface may result in delays and application hangs due to the large amount of files that can reside in these locations.

    1. Open the command prompt
      •  
        1. Click Start, then Run
        2. Type cmd
        3. Click OK
    2. Deleting files from User Temp folder
      •  
        • Type the following command in command prompt (The following string will vary depending on the user name):

          DEL /F /Q "C:\Documents and Settings\<NAMEOFUSER>\Local Settings\Temp"

          replace "<NAMEOFUSER>" with the username of the desired Windows user you wish to empty the temp folder for
    3. Deleting the temp folder at the root of C:\
      •  
        • Type the following command in command prompt:

          DEL /F /Q C:\temp
    4. Deleting the Windows Temp folder
      •  
        • Type the following command in command prompt:

          DEL /F /Q C:\WINDOWS\Temp
    5. Deleting the contents of the xfer and/or xfer_temp directories

      •  
        • Symantec Endpoint Protection

          • Type the following command in command prompt:

            DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp\"
        • Symantec AntiVirus

          NOTE: For migrations from Symantec AntiVirus to Symantec Endpoint Protection, be sure that the below locations do not also exist

          • Type the following commands in command prompt:

            DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer

            DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\xfer_tmp
          • DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp
          • DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer
  3. The Quarantine Folder
    The following instructions are to be done from the command prompt as attempting to open the Quarantine folder in the Windows user interface may result in delays and Windows Explorer application hangs due to the large amount of files that can reside there.

    1. Delete the Quarantine Folder

      • Symantec Endpoint Protection

        • Type the following commands in command prompt:

          DEL /F /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"

          RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
      • Symantec AntiVirus

        NOTE: For migrations from Symantec AntiVirus to Symantec Endpoint Protection, be sure that the below location does not also exist

        •  
          • Type the following commands in command prompt:

            DEL /F /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine"

            RD /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine"
    2. Recreate the Quarantine Folder

      • Symantec Endpoint Protection
        • Type the following command in command prompt:

          MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
      • Symantec AntiVirus
        • Type the following command in command prompt:

          MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine"

  4. Start the Symantec service
    • Symantec Endpoint Protection
      •  
        1. Click Start, then Run
        2. Type smc -start
        3. Click OK
    • Symantec AntiVirus
      •  
        1. Click Start, then Run
        2. Type services.msc
        3. Click OK
        4. Right-click and Start the Symantec AntiVirus service