Vipre creating thousands of SBS_STDRL temp files

Over this past weekend, I started seeing a buildup of temp files in the C:\Windows\Temp directory. Temp files were named SBS_STDRL_*. My immediate and natural fear was of a virus/hack attack.

The only thing in common with all the systems in question was that they all were running MaxFocus (formerly GFI) Managed AntiVirus program (Vipre). As soon as I stopped MAV from running, the temp files stopped accumulating. Looking at the file dates, this all started on Thursday Jan-15-2015.

image

I contacted MaxFocus Sunday evening and submitted a support ticket. By then I had systems as few as a hundred files, up to systems with over 100,000 temp files created. Fortunately, the size of these files was only 1K.

For the most part, this issue did not cause a lot of problems. However, I did have several customer servers that were negatively impacted by this issue. They started calling Monday morning reporting of poor performance.

On Monday Jan-19-2015 Threat Track Security (formerly Vipre) released a Notice on temp file issue in their forum acknowledging the issue, plus indicating that these files could be deleted.

We are currently investigating an issue where the SBS_STDRL files in C:\Windows\Temp are not being deleted automatically. These files are generated by Active Protection and through VIPRE scans. This may cause increased scan times depending on system specifications. You can delete these files by running command prompt as admin then entering the following command: del %windir%\temp\SBS_STDRL*

Later that day they posted a follow up indicating that the issue was caused by a bad definition file, and that it had been fixed with definition version 36798.

This issue has been fixed in definition version 36798. Please make sure you have updated your definitions to the latest version to stop this issue from happening. Please note, this will not delete the SBS_STDRL files that are already created, so the instructions in the first part of this should be followed if you wish to remove these files.

By Tuesday morning, all systems were running fine. I utilized a built in script of MaxFocus RMM to schedule a cleanup of system temp files, which included checking the C:\Windows\Temp folder.

Comments

  1. Not only Vipre 🙂 Ad-Aware Pro Security actually uses two scanning engines, their own and the Vipre antivirus scanning engine. So if you have Ad-Aware please shut-down and wait for solution from Lavasoft 🙂

  2. I had nearly 2 million of these SBS temp files. Freaked out over where they came from, couldn’t delete them with cleaners, resorted to doing it 50-70,000 at a time….In the end I figured it has something to with AdAware,even though it is up to date. I cleaned out the Temp folder, ran spybot, ran Malwarebytes…then I ran AdAware…BAM another 30,000 temp files…and counting.
    WTH???
    Going to uninstall AdAware and re-download it…
    grrrr
    Other than that….? ideas?
    Thanks
    Tony

  3. I was lucky! I only had 4000 of these files, and was able to delete them easily in Explorer. They’d been cluttering up my PC since January.

  4. My friend’s roomate had 140,000 of these files on his disk. He ended up buying a new computer, and I am inspecting the drive now mounted under Linux. What BS. He installed Ad-Aware to protect his computer, instead, it made it unusable. I’m going to see if he’s willing to let me to wipe the damned machine, and install KUbuntu on it.

    His disk is about 400 GB, these files take up over 150 GB of that space.

  5. Rich, unless you had a different situation, the situation that my post addresses were files created specifically by a bad A/V definition file from Vipre. The computers themselves were never compromised.Once a corrected definition file was pushed out, and the identified files were deleted, systems were fine.

  6. Well here it is in later 2016 and still happening, some programmers are just idiots that keep doing this!

Leave a Reply

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

If you agree to these terms, please click here.