question

Saad-6877 avatar image
0 Votes"
Saad-6877 asked BenjaminLee-2282 answered

Malware Detection inside SharePoint server Temp search location

Hi All,
After running full crawl on my SharePoint 2013 Farm, i have started getting Malware alerts reported under this folder (G:\Program Files\Microsoft Office Servers\15.0\Data\Office Server\Applications\gthrsvc) .

I need to delete the file under the above folder (in multiple SharePoint Application servers) , my questions :

  • would be any implications of deleting those files?

  • Is there any way to trace back the original files of those temp files in the above path?

Thank you

Saad



office-sharepoint-server-search-itpro
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AllenXu-MSFT avatar image
0 Votes"
AllenXu-MSFT answered Saad-6877 commented

Hi @Saad-6877,

The gthrsvc folder is used to store the gatherer temp files. The gatherer is a component of the Search service that manages the content crawling process and has rules that determine what content is crawled. While the SharePoint Gatherer is processing files (Office documents, PDFs, etc), it will store them temporarily on local disk.

For your questions, deleting the files under that folder may have no impacts and you cannot trace back those files after deletion. However the infected file will be crawled to this folder again if it is still included in the SharePoint search content source when you perform a crawl next time. You need to delete the infected file in SharePoint to solve this issue fundamentally.


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi AllenXu-MSFT,
Thank you for your answer.
Just to finish with my second question , Is there a way to link between those temporary files under the (gthrsvc) folder and the infected files in SharePoint as I'm getting the alerts messages of Virus/Malware detected includes only information about the temporary files path (example below) , it does not tell me where or what the names of the infected files, so I can go and delete them as you have suggested in your answer above.

ex:
File: G:\Program Files\Microsoft Office Servers\15.0\Data\Office Server\Applications\gthrsvc\flt9884_9964

Once again thank you for your help.

Saad

0 Votes 0 ·

@Saad-6877,

I'm afraid it's impossible to make a connection between those temporary files and the infected files in SharePoint. You won't find that specific filename in the Crawl Log or Search Result as it is randomized by the gatherer. Those files will appear in the process of crawling and generally they will be automatically deleted when a crawl is completed. One solution to find infected files is to narrow the scope of crawl for investigation.

0 Votes 0 ·

@AllenXu-MSFT
Thank you for your help...

0 Votes 0 ·
trevorseward avatar image
2 Votes"
trevorseward answered Saad-6877 commented

Note that your antivirus should be excluding that as a scan location due to potential locking issues interfering with the Search service.

https://support.microsoft.com/en-us/office/certain-folders-may-have-to-be-excluded-from-antivirus-scanning-when-you-use-file-level-antivirus-software-in-sharepoint-01cbc532-a24e-4bba-8d67-0b1ed733a3d9

This could be a false-postiive, but you'd need to have a SharePoint-integrated anti-virus scanner to identify the file.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for your reply and I agree with your suggestion in this case to exclude certain folders in SP from AV scanning.

0 Votes 0 ·
BenjaminLee-2282 avatar image
1 Vote"
BenjaminLee-2282 answered

Hi @Saad-6877 I've recently faced the same problem and successfully managed to pinpoint the malware file in the SharePoint database.

I strongly recommend that you test the actions on a staging/UAT environment first, before testing on a Live environment.

Also, please engage your SharePoint admin / database team / Incident Response team beforehand to assess the potential impact as well.


How I did it was:

1) Correlate the AV detection to the IIS logs. It should be +- a few seconds difference at most.

Filter for the user agent "MS+Search+6.0+Robot", or the configured user agent for your SharePoint crawler


2) Once you've managed to pinpoint the suspicious filename(s) you can search for the files in the SharePoint database using MSSQL Server Management Studio, under the AllDocs or Docs table. You should be able to find the file(s) location under the DirName column, then you can manually delete it.

AllDocs/Docs table shows the metadata and location of files. You may run into instances where there is the DirName is blank, so you'll need step 3


3) If you can find the specific malware filename in the AllDocs/Docs table, search for that Id in the DocStreams table, under the DocId column

It seems that the AllDocs/Docs Id can be correlated to the DocStreams table's DocId column.

Delete the row where the malicious file is


Again, I strongly recommend that you test the actions on a staging/UAT environment first, before testing on a Live environment.

Also, please engage your SharePoint admin / database team / Incident Response team beforehand to assess the potential impact as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.