Endpoint Protection

We have a couple of client machines regularly popping up reporting ****.tmp.exe in %username%/appdata/temp we remove the file, clearedr the temp folder and have scanned the machine for malware with all sorts but it still pops up regularly.

We are overly cautious at the minute with Cryptolocker in the wild. 

Can anyone shed any light on whats going on?

Thanks.

Jim

Are you using the ADC component? If so, you can try the advice here:

https://www-secure.symantec.com/connect/forums/cryptolocker-and-adc-policies

Did you submit the file?

http://www.symantec.com/security_response/submitsamples.jsp

I would also suggest you submit to virustotal, anubis, and threat expert (owned by Symantec) for analysis:

https://www.virustotal.com/

http://www.threatexpert.com/

http://anubis.iseclab.org/

Did a scan reveal anything?

Is it showing up in the SEPm reprot or during the scan by SEP client?

thanks for the quick reply both. We are not using the ADC component, I could try using it but will need to roll it out steadily or just apply it to those 2 clients for now.

I haven;t submitted the file, I will do that next time it appears.

A scan with Symantec hasn't picked anything up but Malwarebytes found a trojan in Appdata/Local/Adobe earlier. Cleared that out and it hasn't reappeared in scans with MB and Hitman.

Its the Insight component finding it which suggests it's being downloaded but not borwsers etc are open.

File now submitted.

it can also come into play during user/admin defined scans as well, not just with downloads. See here:

http://www.symantec.com/docs/TECH169282

I would say its an active scan then as I've been watching the folder and it flags it almost as soon as it appears in the temp folder.

Just an update. I spoke with Symantec and it turns out we had a varient of the Cylex?? Cylar?? virus that wsasn;t in the defs until midnight last night. Fortunately I cam in today, updated all clients and it picked it up and touch wood all fine since.

Thanks for your help.