fireguy1125
asked on
Need Script to Stop Service, Delete Files/Directores, Recreate them Symantec Endpoint Protection
Large amounts of temp files are being created in the xfer_tmp and are being detected as threats on several PCs throughout our organization. Have a list of steps from Symantec to resolve this issue, just need them automated, so I don't have to waste any time running through each one. Exact details are located here: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009042217073548
Breakdown, we only use Symantec Endpoint Protection on XP, so the only folder we are concerend about is C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp
What the script needs to contain:
Stop the Symantec Service (smc -stop)
Delete Files/Folders Accordingly -
DEL /F /Q "C:\Documents and Settings\<NAMEOFUSER>\Loca l Settings\Temp
DEL /F /Q C:\temp
DEL /F /Q C:\WINDOWS\Temp
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp\"
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\"
DEL /F /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
DEL /F /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
Recreate the Quarantine folder:
MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
Finally to start the Symantec service again (smc -start)
I also need it to somehow recognize when the file/directory deleting in each of the above steps is completed. I can't just have the script run through all the commands when the previous one didn't finish. In some instances, this could take hours as these folders have hundreds of thousands of tmp files adding up to several GB of space.
batch or vb script, doesn't matter, something I can just execute on each of the machines having this issue. Thanks so much in advnace!
Breakdown, we only use Symantec Endpoint Protection on XP, so the only folder we are concerend about is C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp
What the script needs to contain:
Stop the Symantec Service (smc -stop)
Delete Files/Folders Accordingly -
DEL /F /Q "C:\Documents and Settings\<NAMEOFUSER>\Loca
DEL /F /Q C:\temp
DEL /F /Q C:\WINDOWS\Temp
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer_tmp\"
DEL /F /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\xfer\"
DEL /F /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
DEL /F /S /Q "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
Recreate the Quarantine folder:
MD "C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine"
Finally to start the Symantec service again (smc -start)
I also need it to somehow recognize when the file/directory deleting in each of the above steps is completed. I can't just have the script run through all the commands when the previous one didn't finish. In some instances, this could take hours as these folders have hundreds of thousands of tmp files adding up to several GB of space.
batch or vb script, doesn't matter, something I can just execute on each of the machines having this issue. Thanks so much in advnace!
ASKER
Yes, I upgraded to 11.0.5002.333...that is when the issue started occuring, upgrade from 11.0.2 to 11.0.5 has caused all of these problems.
Open Notepad
2. Paste the following 4 lines into a text file:
rd /q /s "%AllUsersProfile%\Applica tion Data\Symantec\Symantec Endpoint Protection\Quarantine"
md "%AllUsersProfile%\Applica tion Data\Symantec\Symantec Endpoint Protection\Quarantine"
rd /q /s "%AllUsersProfile%\Applica tion Data\Symantec\Symantec Endpoint Protection\xfer"
md "%AllUsersProfile%\Applica tion Data\Symantec\Symantec Endpoint Protection\xfer"
3. Save the text file as "%ALLUSERSPROFILE%\ClearQu arantine.b at"
4. Create a Scheduled task that runs the following command at least once per day. Set the task to run as the user "NT AUTHORITY\SYSTEM" with no password:
%WINDIR%\system32\cmd.exe /c "%ALLUSERSPROFILE%\ClearQu arantine.b at"
This should do all the work.
Regards,
Pradeep Jhala
2. Paste the following 4 lines into a text file:
rd /q /s "%AllUsersProfile%\Applica
md "%AllUsersProfile%\Applica
rd /q /s "%AllUsersProfile%\Applica
md "%AllUsersProfile%\Applica
3. Save the text file as "%ALLUSERSPROFILE%\ClearQu
4. Create a Scheduled task that runs the following command at least once per day. Set the task to run as the user "NT AUTHORITY\SYSTEM" with no password:
%WINDIR%\system32\cmd.exe /c "%ALLUSERSPROFILE%\ClearQu
This should do all the work.
Regards,
Pradeep Jhala
ASKER
As per the Symantec website, still need to delete the Temp folders as indicated in my original post. Also, need to stop the smc service prior to performing these operations, and then restart after these operatings are completed.
Also, how will this script recognize once each folder/files are deleted prior to moving to next command to either re-create or delete other directory?
Also, how will this script recognize once each folder/files are deleted prior to moving to next command to either re-create or delete other directory?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
By the way if you have the setting to prevent symantec from being tampered with it might stop the script from running since the script its trying to run a net stop on the service
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
jimmymcp02 was most complete with all commands i originally requested
jhalapradeep corrected jimmymcp02 commands to stop service
merowinger answered my question regarding command execution.
Thanks to all! Solution worked with all 3 of you contributing.
jhalapradeep corrected jimmymcp02 commands to stop service
merowinger answered my question regarding command execution.
Thanks to all! Solution worked with all 3 of you contributing.
Like my daugther says "Whats gonna work... Teamwork... Whats gonna work team work!!!"
Thanks and glad we could help you.
Thanks and glad we could help you.
First of all, I hope you have upgraded the SEP version to SEP 11.0 RU5.
As to resolve this issue permanently you will need to upgrade the software first.
Regards,
Pradeep Jhala