Endpoint Protection

I would like to add autorun.inf to the exclusion list fro SEP, I have but it still seems to be picking it up. I am not even certain why Autorun.inf is even picked up, I've never seen an autorun.inf cause and malicious issues.

How can I add it to the exclusions and make sure it is no longer picked up as a threat?

Do you really want to do that?

Autorun.inf is a major player in the spread of viruses from one system to another.

And autorun.inf shouldn't be picked up as it is not inherently malicious.

The detection is likely due from a piece of malware. What's the detection name?

Is it this?

SecurityRisk.OrphanInf

http://www.symantec.com/security_response/writeup.jsp?docid=2011-040403-3248-99

BackOffice.Trojan

Where's the autorun.inf file coming in to play than?

If you use application and device control, one of the default policies is to block autorun.inf

We're not outta the woods yet with these forums and IE 11, I cannot copy and paste on these boards in IE 11

DefWatch    Suspicious.MH690     01/20/2014 13:03:12     01/20/2014 13:03:12    
C:\PROGRAMDATA\SYMANTEC\DEFWATCH.DWH\DWHF39A.exe
 

and I went to the machine with this directory, and this durectoy and file are NOWHERE to be found.

It is legit up to this part of the directory

C:\PROGRAMDATA\SYMANTEC

The drive letter is "E" so I am under the impression that it is a DVD or a USB

Hmm, wondering if you have the dwhxxx issue:

When new virus definitions are in place and the quarantine is being scanned, a DWH file is created and detected by Auto-Protect

http://www.symantec.com/docs/TECH102953

Essentially, it's a false positive and a bug in the product

A bug? No way. :-)

Been around since 11.x days. But judging by what the file being scanned is, that's look like the case

Symantec Endpoint Protection 12.1
DEL /F /Q "C:\ProgramData\Symantec\Symantec Endpoint Protection\silo

I see NO directory that has "silo"

silo means version number..so whatever version you're on just use that number. 12.1.4 would 12.1.4013.4013

How in the worlds does Silo translate to that?

That folder is empty anyway.

Maybe because it "holds" the relevant product files :)

Amusing...

Shouldn't be as it contain the install

Found this great reference which should give you a better idea of the intended behavior:

Why Symantec Endpoint Protection does not remove AT, INF, INI, and registry keys related to infections

http://www.symantec.com/docs/TECH158359

Still bugging you?