Endpoint Protection

 View Only

  • 1.  LiveUpdateSvc Quarantined

    Posted Jul 30, 2015 09:42 AM

    Hello, I got an alert that LiveUpdateSvc got quarantined. Here's the alert below,

    At least one security risk found:

    Risk name: WS.Reputation.1
    File path: LiveUpdateSvc
    Event time: Jul 30, 2015 9:18:23 AM
    Database insert time: Jul 30, 2015 9:20:08 AM
    Source: Real Time Scan
    Description: 

    Why is SEP quarantining LiveUpdateSvc and do I need to take any action?

     

     

     



  • 2.  RE: LiveUpdateSvc Quarantined

    Posted Jul 30, 2015 10:15 AM

    Not good. I hope not a false postive. I would submit to Symantec immediately for investigation.

    Open the Risk log for this alert for further details.



  • 3.  RE: LiveUpdateSvc Quarantined

    Posted Jul 30, 2015 12:37 PM

    I've never head of a Symantec process called LiveUpdateSvc.  That sounds like a legitimate detection to me.

    On a user machine, if you allow LiveUpdate at all, it should be SepLiveUpdate.exe.

    On a SEPM, we're talking luall.exe or lucomserver...

    Where is this file?



  • 4.  RE: LiveUpdateSvc Quarantined

    Posted Jul 30, 2015 12:39 PM

    I'm seeing this now as well, but only for one machine. Problem is the details are weak. But yea good point, I think that's the process I was thinking of.



  • 5.  RE: LiveUpdateSvc Quarantined

    Posted Jul 30, 2015 01:10 PM

    I don't think LiveUpdateSvc is a Symantec process. It was quaratined because it has a bad reputation. I would not recreate it.

    WS.Reputation.1 is a generic signature for files that were checked against Symantec's reputation database (Insight) and got a bad reputation. That does not necessarily mean that the file is malware.

    You don't need to take any action, but as Brian says you can send it to Symantec for investigation.

    You can upload the file to virustotal.com (a Google company) to see if other AV products flag it as malicious as well.