Endpoint Protection

Looking through logs from a few days back, I've identified a couple of machines with the risk "Bloodhound.NeuralMBR".  The event/action is "Virus found (left alone)".  So it appears that we've got a master boot record infection.

I've got a separate report that runs regularly to publish all machines with infected status - a way of making sure nothing slips through the cracks in incident response.  But the machines reporting Bloodhound.NeuralMBR aren't showing up - why?

What's the SEPM version? What report is it that it's not showing up on?

It's definitely considered infected..but because the MBR is infected,SEP can't repair it. It can only be done manually via the recovery console.

SEPM Version 12.1.4023.4080

Report failing to show these machines: Risk/Infected and At Risk Computers

Any filter set or try changing the time range?

No filters or time range.  I tried setting a time range back to when event appears in the logs and the report still comes up blank.

Hi Bill_K,

Does that computer appear in the Risk Report? Or is it missing from there as well?

To remove a MBR threat, the best tool is Norton™ Bootable Recovery Tool.  Download and run that (even if the computer has SEP and not Norton) and the infcetion should be cleared.

https://security.symantec.com/nbrt/nbrt.aspx?lcid=1033

Hope this helps!!

Mick

Computers with this are showing up in risk reports (e.g. Comprehensive Risk Report) - they just don't seem to be considered "infected".  Will be trying BRT and other tools...

Excellent, thanks for the update!  NBRT should do the trick.