Endpoint Protection

 View Only

  • 1.  Endpoint Clients Report Risks That Don't Exist

    Posted Oct 10, 2013 02:24 PM

    I am running Symantec Endpoint Protection Manager 12.1.3 on a Windows 2008 server.  Clients are the same version installed on Windows 7.  What I am seeing is notifications that the server is sending out showing risks found on computers.  These risks are shown to be in locations that don't exist, for users that have never accessed that machine and sometimes even computer names that don't exist.  I am seeing this about once a month.

     

    This is on a fresh install of SEPM on a newly built server with no other apps running on it.  The clients that are connected to it are up to date and reporting correctly in the SEPM and when I look at the computer status in the Monitors it will show up as not infected.

     

    I am curious why the Protection Manager is generating these reports.



  • 2.  RE: Endpoint Clients Report Risks That Don't Exist

    Posted Oct 10, 2013 02:34 PM

    Are the locations "temp" locations? Or possibly located on a USB drive?

    Do the risk have a name or just something generic like "Unknown"?



  • 3.  RE: Endpoint Clients Report Risks That Don't Exist

    Posted Oct 10, 2013 02:40 PM

    Sometimes the location listed will be on a different drive letter.  The most recent was listed as being in D:\Windows\Sytem32 with no D drive on that computer.  More commonly it will list it as in C:\Users\username\ where username doesn't exist on that computer.  The risk the last few times has been ZeroAccess but I have seen unknown on a few in the past.



  • 4.  RE: Endpoint Clients Report Risks That Don't Exist

    Posted Oct 10, 2013 03:09 PM

    Can you try running the zeroaccess removal tool on one?

    http://www.symantec.com/security_response/writeup.jsp?docid=2011-121607-4952-99

    Could the D be a USB?



  • 5.  RE: Endpoint Clients Report Risks That Don't Exist

    Posted Oct 10, 2013 04:34 PM

    In this case the D drive was not a USB.  I am getting that workstation scanned with the removal tool right now however I did run scans using Endpoint earlier.  I made sure all definitions were up to date before hand and it found nothing.



  • 6.  RE: Endpoint Clients Report Risks That Don't Exist

    Posted Oct 11, 2013 04:41 AM

    Hi

    You are most likely having a problem with duplicate HW ids. Most likely all computers are imaged from the same image and therefor have the same HW key in SEP. This means that clients can report wrong.

    Machine A can report as Machine B etc.  That's why you see folders not existing.

     

     

    This article explains how to solve it.

    http://www.symantec.com/business/support/index?page=content&id=TECH163349

     

     



  • 7.  RE: Endpoint Clients Report Risks That Don't Exist

    Posted Oct 11, 2013 12:41 PM

    Hi bu.admin,

    In this post you mentioned ZeroAccess.  The ZeroAccess botnet is one of the largest known botnets in existence today with a population upwards of 1.9 million computers, on any given day, as observed by Symantec in August 2013.  You may be interested in this new white paper from Security Response- it gives a detailed look into ZeroAccess and Symantec's sinkholing of roughly half of the entire botnet.  ZeroAccess Indepth

    http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeroaccess_indepth.pdf

     

    Highlights in this blog post: https://www-secure.symantec.com/connect/blogs/grappling-zeroaccess-botnet

    Many thanks!

    Mick