Hi,
I have Symantec Endpoint Protection 12.1.671.4971 on a Windows7 computer.
After connecting a new external USB drive, SEP created this file:
System Volume Information\EfaData\SYMEFA.DB.
It can't be removed, and Symantec says such is _by design_ of Symantec.
Same problem, if I temporary disable SEP.
Do I really need to shut down the PC, just to safely remove the external USB drive?? (If such is needed, then of course, I would need alternative anti virus software.)
After I connected this USB drive (which otherwise is functioning properly), the appearing 'Safely remove' button on the system tray doesn't work at all. Left click, right click, double click: none of these has _any_ effect.
If I do "rundll32.exe shell32.dll,Control_RunDLL hotplug.dll" and want to stop the device, it says: 'The ... device is not removable and cannot be ejected or unplugged'.
Unlocker 1.9.1. says both the SYMEFA.DB-file and drive have no locking handles (if I run it from a command prompt).
If I use the utility 'USB_Disk_Eject', it says: 'The disk could not be ejected. Close any programs that might be using the disk and try again'.
I _have_ no programs open which could use the drive; apart from Symantec.
I have disabled shadow copies and system restore points, have no encyption and no 'ready boost', which could use 'System Volume Information' also; but the only file in there is the Symantec file anyway.
The Windows system log has entries like:
"The application System with process id 4 stopped the removal or ejection for the device USB\(code)&(code)\(code)."
If I have tamper protection on, there are entries in the Windows application log that Symantec blocked acces to unlocker or eraser (utility from heidi computers Ltd).
Any help? Of course I could shut down the PC now and disconnect the drive (although normally I have turned on the PC 24h/day), but probably the problem with the Symantec file will stay after restart.