Endpoint Protection

Have Scanned a PC for Virus

SMG.Heur!gen on x-xxy-445- this threat has been observed on this host once in the past 7 days.

On scan , found no Risks issues but errors inside the Threats in Proactive Threats.

Hosts file change inisde Googlechrome and IE. Is this normnal or Virus?

Someone please help. Its urgent because its for Senior management.

Doesn't look legit to me. I'd remove that threat.

Hello,

What version of SEPM are you running?

The Threat Logs shows them as Log only.

These seems to be malicious, recommend for termination.

Secondly, check these articles - 

Error: "Security Risk Found! Hosts File Change in File: c:\windows\system32\svchost.exe by: SONAR scan"

http://www.symantec.com/docs/TECH164391

Symantec Endpoint Protection 12.1: Blocked System Change Events produce unexpected messages

http://www.symantec.com/docs/TECH161646

Creating an DNS or Host File Change Exception in Symantec Endpoint Protection Manager 12.1 RU1 MP1 and above.

https://www-secure.symantec.com/connect/articles/creating-dns-or-host-file-change-exception-symantec-endpoint-protection-manager-121-ru1-mp1

Regards,

Agree with Brian and Mithun. Check the hosts file (%windir%\system32\drivers\etc\hosts). It is suspicious if it consists of more than some comments and perhaps the localhost name resolution.

Anyway, I would block hosts file changes either by SONAR or (in my experience more reliable) by the default Application Control ruleset "Block modifications to hosts file", which can be found in the Application and Device Control policy.

Hosts file changes can be really dangerous, e.g. if they are used for phishing attacks.

Thanks Brian , Mithun and Greg.  We have SEPM 12.1.6 MR 4. My configuration for SONAR for DNS\HOSTS file is to " LOG " only.

I require more support and clarifications

1. How can I remove the threat? Its as you see part of chrome and IE. So wont that corrupt those ? Please explain

2. Do I need to send these files to Symantec for Analaysis? If so, how can i Do it?

3. As I  Understand, so you recommend that its better to "Block" but then we have frequent Host & DNS file changes in the environment and that will create a lot of confusion, is it not? So what is the Best Pratice?

4. How I can see these SONAR logs from SEPM. Unfortuantely, I couldnt find any Logs in SONAR from SEPM. Please tell which logs \filters to be used. So that i can Terminate them from SEPM itself? Is there any actionto be taken from SEPM?

.

Appreciate your quick concern and support again

1. How can I remove the threat? Its as you see part of chrome and IE. So wont that corrupt those ? Please explain

The logs say that some applications are changing the hosts file. SMG.Heur!gen is a generic signature that indicates suspicious behavior (see here), not a particular malware. It's unusual that the hosts file will be changed by legitimate applications, but it's possible.

2. Do I need to send these files to Symantec for Analaysis? If so, how can i Do it?

That's definitely a good idea, here is an article about it.

3. As I  Understand, so you recommend that its better to "Block" but then we have frequent Host & DNS file changes in the environment and that will create a lot of confusion, is it not? So what is the Best Pratice?

The hosts file should not be changed, therefore it's useful to block write access. See this article:

Hardening Symantec Endpoint Protection (SEP) with an Application and Device Control Policy to increase security

4. How I can see these SONAR logs from SEPM. Unfortuantely, I couldnt find any Logs in SONAR from SEPM. Please tell which logs \filters to be used. So that i can Terminate them from SEPM itself? Is there any actionto be taken from SEPM?

Monitors > Logs > [Log type] SONAR > configure Time Range

You can check your host more thoroughly by running the Threat Analysis of SymDiag. Alternatetively, you can trigger a PowerEraser scan from the SEPM GUI on the respective client (Clients > [Group] > right-click client > Run Command on Computers > Start Power Eraser Analysis). This may take up to 10 minutes in most environments.

Hello,

I agree with Greg's answers - 

1. How can I remove the threat? Its as you see part of chrome and IE. So wont that corrupt those ? Please explain

Host files are not the Threat, however there is a suspicious code or changes to the host files. 

2. Do I need to send these files to Symantec for Analaysis? If so, how can i Do it?

Yes, as Greg suggested, always a good idea.

3. As I  Understand, so you recommend that its better to "Block" but then we have frequent Host & DNS file changes in the environment and that will create a lot of confusion, is it not? So what is the Best Pratice?

Try blocking host file modification - 

How do I Block hosts file modification using Symantec Endpoint Protection (SEP) Application and Device Control policy?

https://www-secure.symantec.com/connect/downloads/how-do-i-block-hosts-file-modification-using-symantec-endpoint-protection-sep-application-

You can create a Application Control Policy, like to this below:

by Creating this policy, thereforth onwards all the modifications to the host file would be blocked.

4. How I can see these SONAR logs from SEPM. Unfortuantely, I couldnt find any Logs in SONAR from SEPM. Please tell which logs \filters to be used. So that i can Terminate them from SEPM itself? Is there any actionto be taken from SEPM?

By default, SONAR is configured to ignore System Change Events--you may choose to use the default configuration if you do not wish to block these events. Or, you may choose "Prompt" and the user will receive a more informative message from Endpoint Protection, but the choice to block or allow will be up to the user.

See also Symantec Endpoint Protection 12.1: Manager Risk distribution summary report lists "Microsoft Windows Operating System" as a risk name

Thanks All, for that elaborate technical information.

1. We have disabled Application and Device Policy in our environment becuase we have Lumension whicg does this. By disable, i mean i have removed the Tick from "ENable this policy".

But I can still see logs being collected , when i select the Application and device Control, so is this Policy enabled or disabled? There is no point in making a modification, when its disabled.

2. As per Brian, he has written " Doesn't look legit to me. I'd remove that threat." Thats prompted me to ask how can I remove this threat? See this is my first time and so I have many doubts.  Please be patient to reply

I can see a tab Under the Threats Log that says TERMINATE, RESTORE,QUARANTINE etc. Since I am not sure of this file , can I terminate this? Will it stop chrome and Internet explorer from working?

When I examined the IE folder

I found the similar file

So is it a Valid file?? Then y does it say as a Host file ? What should I do with this detetction.? Should I ignore it or what next?

Here, there are modifications in HOST files for various applications. So If i block and we have around 5000 clients...so I might have to answer 1000 people.

Happy that there are people to help with the Symantec issues, please support

ielowutil.exe seems to be a legitimate part of IE, see here:

https://blogs.msdn.microsoft.com/askie/2009/03/12/what-does-ielowutil-exe-have-to-do-with-internet-explorer-8-0/

Please check if there is really valid changing (not reading, that's OK) of the hosts file in your environment.

If you are unsure, you can enable the ruleset "Block modifications to hosts file" (see image in Mithun's post) but switch it to "Test (log only)" in the "Test/Production" field. The ruleset will be running in a simulation mode, and after some time you can evaluate the Application Log to see if switching the ruleset to Production would really bother your colleagues.

I still think we're talking two different things here. SEP is detecting and alerting only the HOSTS file change as well as detecting SMG.Heur!gen. Does SMG.Heur!gen show anywhere in your logs? What action was taken on it?

SMG.Heur!gen was not shown anywhere....in fact the RISK logs didnt didnt anything. Instaed I found Threat Logs showing me Host File logs related to IE and chrome.

What do I do with this current detection? Should I Terminate\Restore\Quarantine ?

I'm confused. Then where did the SMG.Heur!gen detection come from? If there was no SMG.Heur!gen detection then all we're looking at it a HOSTS file change. Did that file only read the HOSTS file or did it actually change it? If it read it, that's fairly normal. If it changed it, to what and why? That process according to the link appears to be part of IE so it could've been normal.