Symantec Endpoint Protection 14 RU1 cleanwipe deletes CA IT Client Manager application file CAF.exe

book

Article ID: 170710

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Cleanwipe included with SEP 14 RU1 deletes 3rd party file that it shouldn't.
3rd party application name is "CA IT Client Manager"
Path from which Cleanwipe removes the file: C:\Program Files (x86)\CA\DSM\Bin\CAF.exe

Cleanwipe provided with 14 MP1 and MP2 does not remove the same application file.

From Cleanwipe.log:
2017-11-09T08:28:03.978Z TRACE Image path from SCM: "C:\Program Files (x86)\CA\DSM\bin\caf.exe" service
2017-11-09T08:28:03.978Z TRACE Sanitized image path: C:\Program Files (x86)\CA\DSM\bin\caf.exe
2017-11-09T08:28:03.978Z TRACE Added removal rule for C:\Program Files (x86)\CA\DSM\bin\caf.exe
2017-11-09T08:28:03.978Z TRACE Service CAF is running.
2017-11-09T08:28:03.978Z TRACE Service is not a driver, attempting to stop it with all dependent services.
2017-11-09T08:28:16.056Z TRACE Service CAF stopped succesfully.
2017-11-09T08:28:16.056Z TRACE Deleting service CAF from SCM
2017-11-09T08:28:16.056Z TRACE Service successfully deleted from SCM.

From Procmon bootlog log:

PID             TimeofDay          Operation          ProcessName                  Path                            Result           Detail
2372    4:12:16.4325571 PM    CreateFile                    CleanWipe.exe    C:\Program Files (x86)\CA\DSM\Bin\CAF.exe    SUCCESS    Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened    3028
2372    4:12:16.4708054 PM    QueryBasicInformationFile    CleanWipe.exe    C:\Program Files (x86)\CA\DSM\Bin\CAF.exe    SUCCESS    CreationTime: 3/25/2016 7:21:06 PM, LastAccessTime: 12/18/2017 4:09:36 PM, LastWriteTime: 3/25/2016 7:21:06 PM, ChangeTime: 12/18/2017 4:09:36 PM, FileAttributes: A    3028
2372    4:12:16.4708162 PM    CloseFile                    CleanWipe.exe    C:\Program Files (x86)\CA\DSM\Bin\CAF.exe    SUCCESS        3028
2372    4:12:16.4711676 PM    CreateFile                    CleanWipe.exe    C:\Program Files (x86)\CA\DSM\Bin\CAF.exe    SUCCESS    Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened    3028
2372    4:12:16.4711851 PM    QueryBasicInformationFile    CleanWipe.exe    C:\Program Files (x86)\CA\DSM\Bin\CAF.exe    SUCCESS    CreationTime: 3/25/2016 7:21:06 PM, LastAccessTime: 12/18/2017 4:09:36 PM, LastWriteTime: 3/25/2016 7:21:06 PM, ChangeTime: 12/18/2017 4:09:36 PM, FileAttributes: A    3028
2372    4:12:16.4711924 PM    CloseFile                    CleanWipe.exe    C:\Program Files (x86)\CA\DSM\Bin\CAF.exe    SUCCESS        3028
2372    4:12:16.4713421 PM    CreateFile                    CleanWipe.exe    C:\Program Files (x86)\CA\DSM\Bin\CAF.exe    SUCCESS    Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened    3028
2372    4:12:16.4713575 PM    QueryBasicInformationFile    CleanWipe.exe    C:\Program Files (x86)\CA\DSM\Bin\CAF.exe    SUCCESS    CreationTime: 3/25/2016 7:21:06 PM, LastAccessTime: 12/18/2017 4:09:36 PM, LastWriteTime: 3/25/2016 7:21:06 PM, ChangeTime: 12/18/2017 4:09:36 PM, FileAttributes: A    3028
2372    4:12:16.4713644 PM    CloseFile                    CleanWipe.exe    C:\Program Files (x86)\CA\DSM\Bin\CAF.exe    SUCCESS        3028
2372    4:12:16.4718133 PM    QueryDirectory                CleanWipe.exe    C:\Program Files (x86)\CA\DSM\Bin\caf.exe    SUCCESS    Filter: caf.exe, 1: CAF.exe    3028
2372    4:12:16.4719597 PM    CreateFile                    CleanWipe.exe    C:\Program Files (x86)\CA\DSM\Bin\CAF.exe    SUCCESS    Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened    3028
2372    4:12:16.4719748 PM    QueryBasicInformationFile    CleanWipe.exe    C:\Program Files (x86)\CA\DSM\Bin\CAF.exe    SUCCESS    CreationTime: 3/25/2016 7:21:06 PM, LastAccessTime: 12/18/2017 4:09:36 PM, LastWriteTime: 3/25/2016 7:21:06 PM, ChangeTime: 12/18/2017 4:09:36 PM, FileAttributes: A    3028
2372    4:12:16.4719814 PM    CloseFile                    CleanWipe.exe    C:\Program Files (x86)\CA\DSM\Bin\CAF.exe    SUCCESS        3028
2372    4:12:16.4722168 PM    CreateFile                    CleanWipe.exe    C:\Program Files (x86)\CA\DSM\Bin\CAF.exe    SUCCESS    Desired Access: Read Attributes, Delete, Disposition: Open, Options: Non-Directory File, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened    3028
2372    4:12:16.4722467 PM    QueryAttributeTagFile          CleanWipe.exe    C:\Program Files (x86)\CA\DSM\Bin\CAF.exe    SUCCESS    Attributes: A, ReparseTag: 0x0    3028
2372    4:12:16.4722685 PM    SetDispositionInformationFile    CleanWipe.exe    C:\Program Files (x86)\CA\DSM\Bin\CAF.exe    SUCCESS    Delete: True    3028
2372    4:12:16.4722929 PM    CloseFile                    CleanWipe.exe    C:\Program Files (x86)\CA\DSM\Bin\CAF.exe    SUCCESS        3028

Environment

Symantec Endpoint Protec (SEP) 14.0 RU1 (14.0.3752.1000)

CA IT Client Manager

Resolution

This issue is fixed in Symantec Endpoint Protection 14.2. For information on how to obtain the latest build of Symantec Endpoint Protection, see Download the latest version of Symantec Endpoint Protection