This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Virus/spyware was not removed because of errors (0xa0250026)

Hi

 

We have an issue at the moment that some machines on our network are reporting the following message

 

Virus/spyware was not removed because of errors (0xa0250026)

 

The suspected virus is in a location that is on the exclusion list, so i'm not sure why it scanned it in the first place, maybe the policy wasn't applied in time?

Anyway the file in question is no longer there, I assume due to it being a .tmp file, but every time the machine boots up it reports it to the SEC error list with the error message. Having checked the quarantine.xml file in c:\ProgramData\Sophos\Sophos Anti-Virus\Config, the file is listed in there having a time stamp of being detected back in August. I tried replacing the quaratine.xml file with an empty one but when the machine started up again it recreated the original file with the alert.

 

Is there anyway to clear these messages out so they don't keep reporting?

 

Thanks



This thread was automatically locked due to age.
Parents
  • Hello MM13,

    I've seen something similar. Seems that some information is incorrectly kept when cleanup fails. While it is (also) recorded in quarantine.xml it seems that savservice.exe holds this information and it uses the file C.C in the \config\ folder for persistence. I assume you observe that the message is issued upon the first start of the service after boot. It should also reappear when you deleted the  quarantine.xml and restart the service.

    Can't say if it is safe to delete C.C and quarantine.xml (when the service is stopped) but as the message disappears without side-effects when you reinstall SAV I assume it is. BTW - are there items with a timestamp corresponding to the first detection under \Safestore\ ?

    Christian

  • Hi Christian

     

    Thanks for your reply.

     

    You are correct about it appearing after first boot but i'm unsure how to check the CC  or Safestore to see if its mentioned in there, as they seem to be full of strange characters when I open in notepad? Can you advise how I can check?

     

    I suppose the other issue then is if I can clear the messages by deleting the above files, how can I stop the file being detected in the first place as its already in the exclusions list so shouldn't be being scanned anyway?

     

    Thanks

  • Hello MM13,

    you can't check what's in C_C, I just assume the information that causes the failed message is still in there.
    As to Safestore: This has been introduced years ago, I've seen it with SVRT. It's an encrypted (and thus Safe) storage of threats, safely kept for potential future submission. It looks like it might be used with the cloud products.
    I assume that after deleting C_C and the quarantine.xml the error message will no longer appear.

    how can I stop the file being detected
    are there still new detections or is ther just the cleanup error? Was the exclusion already in place when it was first detected? Could you perhaps give the details - name of the detection and why you (now) exclude it? As it's allegedly Virus/Spyware an exclusion is not the best way to deal with it.

    Christian 

  • Hi Christian

     

    I will try a delete of the 2 files you mention on one machine and see if this solves the problem.

     

    As for the file that is being detected its Cisco Amp, we know its safe hence why its excluded. The file that is detected is a .tmp file located in its \clamtmp folder, once its detected it shows one of the following two errors :-

     

    Virus/spyware 'Mal/EncPk-NS' was not removed because of errors

    Virus/spyware 'Mal/Medfos-k' was not removed because of errors

     

    Some of them are repeated cleanup errors but there are definitely new ones also being detected daily, however, it only applies to one version of the product. However, I believe its because its scanning the location before the policies are applied to exclude it when we build a new machine. Is there anyway to include the excludes in an initial install or can you think of a reason why the polices are taking too long to apply?

     

    Thanks

  • Hello MM13,

    \clamtmp
    you've also ClamWin on the machines?

    Cisco Amp [...] we know its safe
    it might well be and then this is a false positive. Please submit a sample so that the detection can be amended as necessary. Though - Cisco AMP is yet another AV, and one with real-time scanning. Dunno if the two go together well. Generally the "correct" response to FPs is a sample submission - exclusions should only be used as short-time workarounds. 

    Anyway ...
    include the excludes in an initial install
    this is possible by using XML configuration files.

    Christian

Reply
  • Hello MM13,

    \clamtmp
    you've also ClamWin on the machines?

    Cisco Amp [...] we know its safe
    it might well be and then this is a false positive. Please submit a sample so that the detection can be amended as necessary. Though - Cisco AMP is yet another AV, and one with real-time scanning. Dunno if the two go together well. Generally the "correct" response to FPs is a sample submission - exclusions should only be used as short-time workarounds. 

    Anyway ...
    include the excludes in an initial install
    this is possible by using XML configuration files.

    Christian

Children
  • Hi Christian

     

    Unfortunately company policy has said we need to use both...out of my control :)

     

    I'll submit a sample soon but i'm interested in setting up exclusions as part of the install so we don't have to wait for the policy to apply. However, although i've read through the link you sent, I can't see how you would set exclusions in an .xml file. Have you ever tried this or is there a step by step guide anywhere?

     

    Thanks

  • Hello MM13,

    company policy always wins, and I guess "they" don't assume responsibility for "technical problems" (that definitely never result from the policies) [;)]

    I've read through the link
    you did? Did you also follow the link under Related information that tells you how to implement the changes?

    In short:

    • Export an appropriate policy (if necessary define one)
    • Put the XML in the CID (while you can export a policy with any name you wish when put into the CID it must have the name as specified in the article)
    • Run ConfigCID

    Please note that when an already installed endpoint detects the change in the CID (i.e. that a policy XML has been added) it applies the XML. Thus you might want to create a CID especially for initial installation. OTOH an endpoint will ignore the XML file on subsequent updates as long it doesn't change.

    Christian 

  • Hi Christian

     

    I think it was more to do with how you define an AV policy as i'm not sure how to add the exceptions to the default one (which I exported ok with the exportconfig.exe) :)

     

    Thanks

  • Hello MM13,

    normally you make all settings in the console, then export the whole policy and the endpoint also applies the whole policy. Otherwise the endpoints wouldn't comply with their group's üpolicy.

    Christian

  • Hi Christian

     

    Thanks for your help. I've figured it out now and created a file with the exclusion in that I needed.

    Also deleting the CC & Quarantine files you mentioned looks to have fixed the machines that are hanging onto the error. Hopefully this will solve the issues we have been seeing

     

    Thanks again