Endpoint Protection risk detection left alone and file cannot be found

book

Article ID: 169722

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Symantec Endpoint Protection (SEP) risk detection is left alone (delete or quarintine action could not be performed, or action was set to "log only") and when you search for the identified file to delete it manually you cannot find it. 

The file path and name in SEP risk logging may be prefixed with a Windows volume GUID, for example:

\\?\volume{9d7f675b-3366-11e7-8066-005056aa78c2}\windows\syswow64\config\systemprofile\appdata\local\microsoft\figwu.wpl

This appears to be a C: drive path, but that file is not found at:

C:\windows\syswow64\config\systemprofile\appdata\local\microsoft\figwu.wpl

Cause

This may be the result of a detection in an unmounted volume, or a volume that is not mounted in a conventional fashion. 

Resolution

To see the volume GUIDs of all local volumes and their mountpoints, run the MOUNTVOL command without parameters from a command line. For example above, the GUID was NOT mounted at C: but is instead mounted at a subdirectory of C: and appeared to be associated with a backup service of some kind.

You should be able to see and delete the detected file by tacking the detection path onto the end of one of those mount folders and navigating to one of:

  • C:\Users\service.pointbkup\AppData\Local\Temp\1\windows\syswow64\config\systemprofile\appdata\local\microsoft\figwu.wpl
  • C:\Users\service.pointbkup\AppData\Local\Temp\2\Users\service.pointbkup\AppData\Local\Temp\1\[etc...]

You should also exclude backup mountpoints from scans, or at least make them part of a separate schedule. Antivirus scans and backup services often step on each other's toes.