Hello - we have several new Windows 7 machines and we're running Sophos v9.0.1 for antivirus. Periodically Sophos will throw a warning for SUS\UnkPack-C on a file called C:\Windows\Temp\TMP???????????????????????? with the question marks representing a seemingly random string of 24 characters. There seems to be no pattern in what triggers this and Sophos has been precisely zero help in answering any questions on it. They suggested setting Sophos to quarantine files, but we're also seeing Sophos flag legitimate Windows processes, and we're even seeing this with brand new builds, so I have no reason to believe it's actually a security issue. What I would like to know is if ANYONE knows what this file is?

Guess I'm not really clear why this was moved to a different forum because all I really want to know is what Windows 7 process leaves files with this name in the temp folder...

Oh, and when I say "random string of 24 characters," I should qualify that by saying that it looks like GUID or something. For example:C:\Windows\TEMP\TMP0000002E27D3A3A88E075D32

Hi ToddI don't have any ideas where these temp files are coming from.Try opening one of the files in a text editor to see if there is anything in there about the application that may be creating them.If you think the number may be a GUID, try using Edit/Find in the Registry Editor to search for that string.You can also upload a copy of one of these files to a file sharing website such as Microsoft Windows Live SkyDrive. Place the file in the publicfolder and post the URL for the file in a reply so we can take a look at it.Regards,Thank You for using Windows 7 Ronnie Vernon MVP

The problem is that they come and go very quickly. When Sophos pops up with one of these files, I go check the directory and it's no longer there. I doubt these are actually GUIDs, but they're like GUIDs. Sophos suggested setting the permissions on this directory so that the file couldn't get deleted, but I don't want to go mucking around with directory permissions in Windows 7.

The problem is that they come and go very quickly. When Sophos pops up with one of these files, I go check the directory and it's no longer there. I doubt these are actually GUIDs, but they're like GUIDs. Sophos suggested setting the permissions on this directory so that the file couldn't get deleted, but I don't want to go mucking around with directory permissions in Windows 7. Hi Todd,We can use other method to see which process keeps generating these files. To do so, you can use either of the following methods:1. Set auditing on C:\Windows\Temp\ folder and then check the Security event log.2. Use Process Monitor v2.8 to monitor the C:\Windows\Temp\ folder. It will log which process originally generates these files.Microsoft Online Community Support

I too have just started seeing this type of file being flagged by Sophos. I, however, am running Windows XP with Sophos 7.6.15. Sophos is flagging these files on a number of different client's networks as 'Mal/VB-F'. Same behavior as Todd mentions where the file is no longer in the directory acting almost like a rootkit as Sophos explained. I have a suspicion that these are legit files as well, but don't want to 'Authorize' them if they aren't. Has anyone had any luck figuring out what these files are and why they randomly started getting flagged?