Our IDS detected that one of our pc's had the Angler Exploit. We've run numerous tools to scan and remediate, and everything appears to be clean.
However, while running Symantec Help (SymHelp) we continue to get an alert telling us to investigate a file called ContentTree.bat.
What we see is this: The file is not present until we launch SymHelp, and as soon as we close SymHelp the file disappears.
I don't know if pasting the contents of the file is allowed, but will do so below. We sent the file to Symantec as a potential false positive. The response was somewhat vague, but indicated 'the information you have provided is not related to a symantec product detection or false positive detection.'
Can anyone provide insight as to whether this file is malicious or, as we are beginning to believe, related to a process spun by SymHelp?
Contents of file:
SETLOCAL EnableExtensions
SET KEY_NAME="HKLM\SOFTWARE\Wow6432Node\Symantec\Symantec Endpoint Protection\SEPM"
SET KEY_NAME_NATIVE="HKLM\SOFTWARE\Symantec\Symantec Endpoint Protection\SEPM"
SET VALUE_NAME=TargetDir
SET CONTENT_FOLDERTREE_LOG=%1
FOR /F "usebackq tokens=3*" %%A IN (`REG QUERY %KEY_NAME% /v %VALUE_NAME% ^| find ":\"`) DO SET SEPMPATH=%%A %%B
IF NOT DEFINED SEPMPATH (
FOR /F "usebackq tokens=3*" %%A IN (`REG QUERY %KEY_NAME_NATIVE% /v %VALUE_NAME% ^| find ":\"`) DO SET SEPMPATH=%%A %%B
)
echo LU Contents folder and file structure - Full and Delta > %CONTENT_FOLDERTREE_LOG%
echo. >> %CONTENT_FOLDERTREE_LOG%
tree /f /a "%SEPMPATH%\Inetpub\content" >> %CONTENT_FOLDERTREE_LOG%
echo. >> %CONTENT_FOLDERTREE_LOG%
echo LU Contents directory structure >> %CONTENT_FOLDERTREE_LOG%
echo. >> %CONTENT_FOLDERTREE_LOG%
dir /s /ON /a "%SEPMPATH%\Inetpub\content" >> %CONTENT_FOLDERTREE_LOG%