Defender and Temp file in C:\Windows\Temp

[Alan D]

Could someone tell me, please, if Defender generates a temp file from time
to time, in C:\Windows\Temp - with a name that takes this kind of form? -
TMP00000024E8962F1A6A88E610 ?

The reason I ask is because the new version of Superantispyware flagged up
just such a file this morning (as Adware.Spyware Labs). I quarantined it
(being a temp file, it seemed sensible to do that), but I noticed that on
next computer restart a file with a similar (but different) name appeared -
just for a short time - in the same place - but Superantispyware found this
new one to be no threat. After a few restarts, I noticed that the appearance
of the file seems to happen at about the time that Defender puts up its
regular notification of registry change. Then the temp file disappears after
a bit.

So I'm starting to wonder if the original alert was a false positive by SAS,
particularly since none of these subsequent files have generated an alert.
But I need to know if Defender really is producing these 'temporary' temp
files in order to decide whether I need to investigate further - can someone
tell me, please?

I should say that scans by AVG, a-squared, and Superantispyware (subsequent
to that first scan) are all coming up clean.
Thanks,
Alan D

 

[Bill Sanderson]

I'm not sure what creates those files--I had not connected them to Defender,
but I do see them on a good many machines, and I believe they are a normal
part of Windows, and if there was a malicious string in them, it was
probably an accident of some sort--false positive sounds right to me.

 

[Stu]

Further to Bill`s post. I see lots of those in Ccleaner when I have a system
clean up every now and then but have no idea what they mean or have I had a
problem with them. I only take an interest in anything that may reference a
specific file location and (as Bill has already said in previous post), has a
dubious file name/extension. Do you/have you used Ccleaner to clean out your
Temp Folder and rerun the scan? Don`t be surprised if it is not empty after a
run in normal mode because those temp files currently in use by an
application will not be accessed and therefore deleted.

Stu

 

[Alan D]

Thanks for this, Bill - that's really helpful to know. I'd never noticed the
frequent appearance and disappearance of these files before, myself, so it's
good to know their existence is 'normal', so to speak. I'll keep an eye on
things, but I'm increasingly inclined to believe that there's nothing
malicious there.

(For the sake of anyone else reading this later, with a similar query, I
should add that these temp files are always 512K, and that whatever actually
does produce them - whether it's Defender, or not - always seems to tidy up
very neatly after itself by removing them after use. Also, while they're
there, they resist being deleted because they're flagged up as being 'in use
by another program'.)

Cheers,
Alan D

 

[Alan D]

Thanks for this, Stu.

I do use Ccleaner quite often to clear out temporary files, and indeed as
you point out, at the moment these 512K files don't queue up for deletion
because they're 'in use'. It seems they just get tidied away by whatever app
is using them, later.

There's really nothing to test by rerunning scans after a Ccleaner
clear-out, because all my scans are coming up clear now, anyway. In
particular, SAS is now completely uninterested in those temp files. I'm
actually wondering if this had something to do with the new installation of
the new version of SAS not having quite 'bedded itself in' after just one
reboot - though that may be complete nonsense of course!
Cheers,
Alan D

 

[Stu]

Not necessarily so - rubbish that is. I think a little (I want to say
`paranoia`) doesn`t do anyone any harm - provided it doesn`t start to consume
your life. Having said that, the Wikipedia definition doesn`t look too
encouraging for me. Shall we just settle for CAUTION?

Stu

 

[Alan D]

Good choice Stu: 'Caution' sounds right to me. After all, an alert from SAS
about a file that mysteriously appears and then disappears in the 'Temp'
folder, which won't let itself be deleted, and whose existence you haven't
actually had cause to notice before, does warrant more than a shrug of the
shoulders, I think - even for the non-paranoid.
Cheers,
Alan D

 

[Bill Sanderson]

My impression is that they should go away (and be replaced by others!) on
reboots. Sometimes they get left lying around, presumably because of a
crash, and then they can be deleted.

If the date on the file predates the last boot, I think they can be
deleted--at least that's what I recall going by as I clean systems up
occasionally.