Need Script to Stop Service, Delete Files/Directores, Recreate them Symantec Endpoint Protection

Large amounts of temp files are being created in the xfer_tmp and are being detected as threats on several PCs throughout our organization.  Have a list of steps from Symantec to resolve this issue, just need them automated, so I don't have to waste any time running through each one.  Exact details are located here: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009042217073548

Breakdown, we only use Symantec Endpoint Protection on XP, so the only folder we are concerend about is C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp

What the script needs to contain:
 Stop the Symantec Service (smc -stop)
Delete Files/Folders Accordingly -
 DEL /F /Q "C:\Documents and Settings\<NAMEOFUSER>\Local Settings\Temp
 DEL /F /Q C:\temp
 DEL /F /Q C:\WINDOWS\Temp
 DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp\"
 DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\"
 DEL /F /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
 DEL /F /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
Recreate the Quarantine folder:
 MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"

Finally to start the Symantec service again (smc -start)

I also need it to somehow recognize when the file/directory deleting in each of the above steps is completed.  I can't just have the script run through all the commands when the previous one didn't finish. In some instances, this could take hours as these folders have hundreds of thousands of tmp files adding up to several GB of space.

batch or vb script, doesn't matter, something I can just execute on each of the machines having this issue.  Thanks so much in advnace!

LVL 1
fireguy1125Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jhalapradeepCommented:
Hi,

First of all, I hope you have upgraded the SEP version to SEP 11.0 RU5.
As to resolve this issue permanently you will need to upgrade the software first.

Regards,
Pradeep Jhala
0
fireguy1125Author Commented:
Yes, I upgraded to 11.0.5002.333...that is when the issue started occuring, upgrade from 11.0.2 to 11.0.5 has caused all of these problems.
0
jhalapradeepCommented:
Open Notepad

2. Paste the following 4 lines into a text file:

rd /q /s "%AllUsersProfile%\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
md "%AllUsersProfile%\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
rd /q /s "%AllUsersProfile%\Application Data\Symantec\Symantec Endpoint Protection\xfer"
md "%AllUsersProfile%\Application Data\Symantec\Symantec Endpoint Protection\xfer"
3. Save the text file as "%ALLUSERSPROFILE%\ClearQuarantine.bat"

4. Create a Scheduled task that runs the following command at least once per day. Set the task to run as the user "NT AUTHORITY\SYSTEM" with no password:

%WINDIR%\system32\cmd.exe /c "%ALLUSERSPROFILE%\ClearQuarantine.bat"

This should do all the work.


Regards,
Pradeep Jhala
0
MSSPs - Are you paying too much?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

fireguy1125Author Commented:
As per the Symantec website, still need to delete the Temp folders as indicated in my original post.  Also, need to stop the smc service prior to performing these operations, and then restart after these operatings are completed.

Also, how will this script recognize once each folder/files are deleted prior to moving to next command to either re-create or delete other directory?
0
merowingerCommented:
The script will recognize it. A command will not start before the previous command line has finished.
0
jimmymcp02Commented:
test this and post back
copy this is notepad and save it as sepfix.bat make sure you change the as type from .txt to all
 
 
net stop "Symantec Antivirus"
 DEL /F /Q "C:\Documents and Settings\%USERNAME%\Local Settings\Temp"
 DEL /F /Q C:\temp
 DEL /F /Q C:\WINDOWS\Temp
 DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp\"
 DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\"
 DEL /F /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
 DEL /F /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
 MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
net start "Symantec Antivirus"
 
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jimmymcp02Commented:
By the way if you have the setting to prevent symantec from being tampered with it might stop the script from running since the script its trying to run a net stop on the service
0
jhalapradeepCommented:
Hi,

net stop "symantec antivirus" will not work for symantec endpoint protection

You need to stop smc service for this purpose.

please use this command instead.

"start smc -stop" to stop the service and "start smc -start" to start the service. (without quotes)

Regards,
Pradeep Jhala
0
fireguy1125Author Commented:
jimmymcp02 was most complete with all commands i originally requested

jhalapradeep corrected jimmymcp02 commands to stop service

merowinger answered my question regarding command execution.

Thanks to all! Solution worked with all 3 of you contributing.
0
jimmymcp02Commented:
Like my daugther says "Whats gonna work... Teamwork... Whats gonna work team work!!!"
 
Thanks and glad we could help you.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.