Interesting Issue / Question on SEP active scan results
I was working with a user on some questions they had about SEP.
After running an active scan, I noticed a few things that I could not explain. I'll post the screenshots:
The active scan appeared to have finished scanning the C drive. Well then I noticed that it was no longer scanning the C drive and appeared to be scanning a list of domain names / IP addresses. The domain names I could see and I was familar with (Symantec, Kaspersky, McAfee) but I had no clue on the IP address. I ran a whois and one of them was a Brazilian website. Also for the screens above, they were run within 1 minute of one another and the amount of files scanned was different. I ran the scan 5 more times and each time the amount of files scanned was different. So no I'm curious as to why IP/Domain names are being scanned and why? Is this a lhidden list? I ran TCPView and show no connections to these sites. I just wan to make sure something fishy isn't going on on our network. Anyone seen aything like this before?
Comments
Hi, Please run the process
Hi,
Please run the process explorer on your machine. Goto the properties of rtvscan.exe. Go to the TCP/IP tab. See if you are able to see any network connections.
I would also recommend enabeling the debug logging on the client. Submit the debug logs as an attachment to your initial post, or you can contact support for getting more information and to perform Root cause analysis.
Aniket
Process Explorer came up
Process Explorer came up clean. I have enabled debugging and will post the logs in the next hour as I want it to run for awhile to gather a good amount of data.
Endpoint Knowledge Base
Security Best Practices
Here is my
Here is my log:
http://www.2shared.com/file/9126036/e8c9531b/vpdebug.html
Endpoint Knowledge Base
Security Best Practices
Ok, if the process monitor
Ok, if the process monitor did not show any TCP connection, that means the client is showing incorrect information.
I suspect corruption in the registry. The settings for activescans are stored in the location:
HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV\LocalScans\Default QuickScan Options
You can export the key and compare that with another export from a normal working machine. And compare them with BeyondCompare.
But, to try the simple steps first, i would recomment repair install, reboot, active scan.
Aniket
Below is the only difference
Below is the only difference found. The leftside is from the normal machine:
Endpoint Knowledge Base
Security Best Practices
How about repair, did you try
How about repair, did you try that?
Aniket
I'm going to try a reinstall
I'm going to try a reinstall on my machine, the other machine appeared to be OK now after reinstall
Endpoint Knowledge Base
Security Best Practices
Glad to know. Will look
Glad to know. Will look forward to an update from you.
Cheers,
Aniket
Would you like to reply?
Login or Register to post your comment.