Endpoint Protection

Ladies and Gentlemen - two questions:
First, I came in this AM and was greeted with a "new risk found" message, and it happened to be found on a management server (not a SEP/M server, but another sort of what WE call management server)
Anyway, IS this real, or is it a FALSE ALERT on a legit remote support tool from HP?

At least one security risk found:

Risk name: Hacktool.HideWindow

File path: C:\Program Files\Hewlett-Packard\ISEE\RemoteSupport\bin\HideItX.exe

Event time: 2009-11-04 09:12:28 GMT

Database insert time: 2009-11-04 09:13:23 GMT

User: SYSTEM

Computer: vrdsmmgmt5

IP Address: xxx.xxx.199.98

Domain: IVRS-SEP1

Server: VRDSMSEP1

Client Group: My Company\Servers

Action taken on risk: Quarantined

SECOND - why do I see these when I come in, from roughly 3:00-3:15am?
What is happening here that causes things to be found at 3am??? I do NOT have scheduled scans running at night, esp not at 3am, they run at 6pm on a totally different night, but more often than not, when a NEW RISK is found/detected the time stamp will be just after 3am!
Is that the witching hour or something??  I thought that started at midnight.......

Here is the tracking number:
[TRACKING]: Symantec Security Response Automation: Tracking #13509763

in case anyone else on the planet (or others for that matter) is interested or sees the same thing I did.

Hi Shadowpops,

On the seond question: It states 9:13 GMT. Could it be you are in the US Mountain time zone?
For me (US EST) 9:13 - 5 hours= 4AM
So, add another hour for you 9:13 - 6 hours= 3AM.

Just a thought. (yeah, it hurts 8-))

I'm going by when I get the email - 3:14am in this case, it's not there when I last check at 10PM, and is there when I check at 6:30 am.
We're central time, now off "daylight saving time" back to central standard time. Same as Chicago, Houston, etc........

The question is - what is happening at 3am in the middle of the week that SEP finds this stuff????????????
There's no one here! Especially on a server, but even workstations. I can go back and find several emails I got at 3am OUR time, and wonder - what is SEP doing out there at that time in the AM?
i'm sleeping - it should be too, but it's obviously scanning for some reason..........

You can always submit the file to virustotal and see what they come up with.

I think I will - I'll get a more conherent report! LOL

Let us know what you find out.  On 10/29 at 4:56 am, I got an email alert that Packed.Generic.265 Viral was detected on our SEPM server.  No staff was using the server at that time and it was detected via an auto protect scan.

I see your infection was from HP software.  I thought you uninstall everything HP? ;-)

Restore the file from the quarantine and check if it's a downloaded file.....Good chances are it's not a false positive if it's an offline file.

"virustotal" gave mixed results - some not hitting it at all, the rest half saying not a good thing, or "it's not a threat" and some saying - you might not want this on your computer. LOL

Guess what - hours later, NOTHING from Symantec - of course my history with submissions dictate that I'll hear next week. That's what happened to me the last couple of times. I hear either a full day or even several days later.

(Ya know, by then - days later, we're at the who cares stage - the issue is long since resolved manaully, or by others............)

Sorry, I Don't have a clue what you mean by downloaded or offline file.......... the path was in the original message..........

File path: C:\Program Files\Hewlett-Packard\ISEE\RemoteSupport\bin\HideItX.exe

A file that has been copied over from a different machine(or downloaded)

I've never heard the term "offline" etc LOL - never heard those terms! (except in XP where you can keep files off-line for working away from the network - that is what offline file means - a file copied to your computer while you work on it, then it synchs it back to the network when you reconnect.)

I guess I don't know how you are seeing THAT in the properties! There's no such screen on our servers.....
The only properties down there are Attributes, nothing more.  There's no "Security" to it.  There is no way of knowing if any file came from any place else.

Hey Guys,

Can we say this is a false positive or dont we know it yet?

Kind regards

Reinhart

LOL - we don't know yet!
Here's the response from Symantec, SEVERAL days AFTER the fact. But a submission to virus total generates totally MIXED results! Some say safe, some say not safe, some say "you may not want this file".
Here is what Symantec says................ Not the "now building definitions" but the file was submitted LAST WEEK.............Wednesday, the response can yesterday, Monday. I'm betting Symantec is SO FAR BEHIND, their techs just can't keep up with submissions!! But sorry, Symantec, nearly a WEEK is WAAAAAY too long to wait for results, and WAAAAY too long to wait for new defs if they are needed.
This should all be same-day, should it not? Or is there another logical explanation?

OTOH, we really still do not know what the file really is!!!!! IS it REALLY a tech support file from HP or some other source, or is it a hack tool of some sort........... enquiring minds want to know...................
===================================================================

Dear xxx xxxxxxx,

We have analyzed your submission.  The following is a report of our findings for each file you have submitted:

filename:  hideitx.exe

machine: Machine

result: This file is detected as Hacktool.HideWindow. http://www.symantec.com/avcenter/venc/data/hacktool.hidewindow.html

Customer notes:

Found by SEP during a scan started by defs update apparently not sure what triggered it however its in an HP remote support folder and MAY BE MAY BE a false alert or a real threat in the HP program files folder

Developer notes:

 hideitx.exe is a non-repairable threat.

Symantec is now building a new set of definitions to include the threat you have submitted. The approximate time to complete this process is one hour. We recommend checking the ftp site periodically over the next 60 to 90 minutes to download these definitions as soon as they are available.

Downloading and Installing RapidRelease Definition Instructions:

1. Open your Web browser. If you are using a dial-up connection, connect to any Web site, such as:  http://securityresponse.symantec.com/

2. Click this link to the ftp site, then download the appropriate file to update your product: ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/rapidrelease/sequence

If it does not go to the site (this could take a minute or so if you have a slow connection), copy and paste the address into the address bar of your Web browser and then press Enter.

3. Open the folder named with the same or higher sequence number listed below.

4. Download the appropriate file to update your product.

To identify the correct definition file format  for your product, please review the information here:

http://www.symantec.com/business/security_response/definitions/download/detail.jsp?gid=rr

5. When a download dialog box appears, save the file to the Windows desktop. Either, double-click the downloaded file and follow the prompts or refer to your product documentation.

Virus definition detail:

Sequence Number: 102324 (or higher)

 This is just FYI.

http://www.virustotal.com/analisis/13eedc5b232604258b45da9c07bfb3c93a5d28566622adcf1206ecd5f69e7aec-1257933289

Don't know if this helps but we had a detection of Hacktool.HideWindow in a file called Run.exe which was part of an application installer from a business partner. The application was a document library for a set of technical publications, and it was a rather old build - the installer had been prepared for Win 9x. The file run.exe was used to hide the active window during installation, just to make the screen less ugly as it copied some files via a command window.

In our case, SEP was detecting the run.exe file and interrupting the installation. We consulted the vendor and author, and established that in this instance the file was harmless. We permitted it as an exception for the install only, as the executable was not subsequently required. The detection by SEP is correct - the file itself is not malicious but could be used to conceal malicious activity. However the example we investigated is more likely to be used by an older style "script-kiddie" trojan than the more modern threats which can be very sophisticated and very stealthy in their own right.

Does HP Update run on your machine at the time indicated? Even so, if the updater (unwisely?) uses something now detected as a Hacktool to conceal a window, the install base should be big enough that the issue should be well known to both HP and Symantec.

Yeah, I know - that's pretty much what I got when I ran it, that's why I said it was inconclusive.

The explanation by dgh makes sense -
It's something that has been there, no it's not something that runs updates.
It's been there a while WE THINK. So it's odd that it just suddenly was detected and was not detected in the past, but once again, WHY at that time in the AM?
We see this a lot - SEP goes along detecting nothing, then suddenly in the wee hours of the night, it finds something! WHAT TRIGGERED that find?
There's no scanning taking place then.
So that part is still a mystery.
But I suspect a CHANGE was made in SEP or the DEFS that suddenly caused it to start detecting this file.......
It's the why at that time of night that is the next question.

This just happened to me.  It scanned it last night at 8:38 pm eastern time on my HP Server running a third party software.  We thought HP might have remoted in (which they do from time to time) and somehow infected our server.  I found out they didn't.  So I am not sure why this came up our why it thinks this file is a virus.  I can't find anything about this file anywhere.  Any assistance would be great.  I have other HP servers in house and this hasn't come up on any others.  This server is only 4 weeks old though.


Risk name: Hacktool.HideWindow

File path: C:\Program Files\Hewlett-Packard\ISEE\RemoteSupport\bin\HideItX.exe