Endpoint Protection

 View Only

  • 1.  Hundreds of "left alone" compressed tmp files - C:\Windows\TEMP\pde783B.tmp

    Posted Apr 17, 2013 09:22 AM

    We appear to have hundreds of false positive temp files flagged as a Trojan Horse.  When we examine the Temp folder location, the flagged pde type files are not found.  So I'm confused as to the left alone report.  The detections also create confusion for our senior management, who have asked if SEP 12.1 is allowing malicious files to remain on a production system.  So information on this detection would be appreciated.  I've included some of the details below.  Again, this is seen on multiple systems.

    Thanks,

     

     Risk Information

     

    Risk name:

     

    Trojan Horse

    Risk severity:

     

    1

    Discovered:

     

    02-19-2004 00:00:00

    Download site:

     

    N/A

    Downloaded or created by:

     

    N/A

    File or path:

     

    C:\Windows\TEMP\pde7408.tmp

    Application:

     

    		  

    Version:

     

    		  

    File size:

     

    0

    Category set:

     

    Malware

    Category type:

     

    Virus

    Hash:

     

    		  

    Hash algorithm:

     

    SHA-1

    Company:

     

    N/A


    Risk Detection

     

    Date found:

     

    04-17-2013 06:05:30

    Description:

     

    "Still contains 1 infected items"

    Actual action:

     

    Left alone

    Specified primary action:

     

    Leave alone (log only)

    Specified secondary action:

     

    Leave alone (log only)

    Detection source:

     

    Manual Scan

    Risk detection method:

     

    Signature-based Detection

    URL tracking:

     

    Off

    Source computer:

     

    		  

    Event type:

     

    Compressed File

    Database insert date:

     

    04-17-2013 06:14:10

    Event client date:

     

    04-17-2013 06:05:30

    Permitted application reason:

     

    N/A


    Risk Reputation

     

    First seen:

     

    Reputation was not used in this detection.

    Reputation:

     

    Reputation was not used in this detection.

    Prevalence:

     

    Reputation was not used in this detection.

    Performance impact:

     

    High

    Overall rating:

     

    High

    Detection reason:

     

    Antivirus engine

    Minimum sensitivity level:

     

    N/A

     

    Side effects

     

     

     

     

    Status

    Operation

    Data Type

    Location

    Successful

    Leave Alone

    File

    C:\Windows\TEMP\pde7408.tmp

     

     



  • 2.  RE: Hundreds of "left alone" compressed tmp files - C:\Windows\TEMP\pde783B.tmp

    Posted Apr 17, 2013 09:25 AM

    This happens for a few reasons, which this article highlights:

     

    Best Practices for responding to "Left Alone" in the virus or threat history log

    Article:TECH101661  |  Created: 2006-01-13  |  Updated: 2011-05-20  |  Article URL http://www.symantec.com/docs/TECH101661

     

    This article may also help:

    Delete newly created infected files if the action is “Leave alone (log only)” - Explanation of setting

    Article:TECH145103  |  Created: 2010-11-29  |  Updated: 2010-11-29  |  Article URL http://www.symantec.com/docs/TECH145103

     



  • 3.  RE: Hundreds of "left alone" compressed tmp files - C:\Windows\TEMP\pde783B.tmp

    Posted Apr 17, 2013 10:19 AM

    Thanks Brian,

    We have the advanced auto protect setting checked, to delete newly infected items, if the action is left alone.  The biggest problem is the hundreds of detections in our daily reports, with no real detail as to why these PDE temp files were detected, why they were left alone, and if they were indeed malicious...or simply a false-positive. 

    Plus, as I mentioned, the left alone status is concerning to our senior mgmt staff, when they see hundreds of Trojan Horse detections in a daily report on multiple systems.  So I don't have a good answer for them, as to why these detections occured, and if we have potentially infected clients still on our network.