Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Endpoint Clients Report Risks That Don't Exist

Created: 10 Oct 2013 | 6 comments

I am running Symantec Endpoint Protection Manager 12.1.3 on a Windows 2008 server.  Clients are the same version installed on Windows 7.  What I am seeing is notifications that the server is sending out showing risks found on computers.  These risks are shown to be in locations that don't exist, for users that have never accessed that machine and sometimes even computer names that don't exist.  I am seeing this about once a month.

This is on a fresh install of SEPM on a newly built server with no other apps running on it.  The clients that are connected to it are up to date and reporting correctly in the SEPM and when I look at the computer status in the Monitors it will show up as not infected.

I am curious why the Protection Manager is generating these reports.

Operating Systems:

Comments 6 CommentsJump to latest comment

.Brian's picture

Are the locations "temp" locations? Or possibly located on a USB drive?

Do the risk have a name or just something generic like "Unknown"?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

bu.admin's picture

Sometimes the location listed will be on a different drive letter.  The most recent was listed as being in D:\Windows\Sytem32 with no D drive on that computer.  More commonly it will list it as in C:\Users\username\ where username doesn't exist on that computer.  The risk the last few times has been ZeroAccess but I have seen unknown on a few in the past.

.Brian's picture

Can you try running the zeroaccess removal tool on one?

http://www.symantec.com/security_response/writeup....

Could the D be a USB?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

bu.admin's picture

In this case the D drive was not a USB.  I am getting that workstation scanned with the removal tool right now however I did run scans using Endpoint earlier.  I made sure all definitions were up to date before hand and it found nothing.

TORB's picture

Hi

You are most likely having a problem with duplicate HW ids. Most likely all computers are imaged from the same image and therefor have the same HW key in SEP. This means that clients can report wrong.

Machine A can report as Machine B etc.  That's why you see folders not existing.

This article explains how to solve it.

http://www.symantec.com/business/support/index?pag...

Mick2009's picture

Hi bu.admin,

In this post you mentioned ZeroAccess.  The ZeroAccess botnet is one of the largest known botnets in existence today with a population upwards of 1.9 million computers, on any given day, as observed by Symantec in August 2013.  You may be interested in this new white paper from Security Response- it gives a detailed look into ZeroAccess and Symantec's sinkholing of roughly half of the entire botnet.  ZeroAccess Indepth

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeroaccess_indepth.pdf

Highlights in this blog post: https://www-secure.symantec.com/connect/blogs/grappling-zeroaccess-botnet

Many thanks!

Mick

With thanks and best regards,

Mick