logs referencing SEP applications
Can anyone explain exactly what SEP is telling me here? Is the application referenced in the 9th field mucking with the SEP application in some way? These aren't always malicious, but they are often enough to be a pretty good indicator of compromise.
Many thanks in advance!
[system name redacted],Allowed,"C:\Program Files\Symantec AntiVirus\SmcGui.exe",,Begin: 2012-11-07 00:33:54,End: 2012-11-07 00:33:54,Rule: ,3532,C:/Documents and Settings/[redacted]/Application Data/Qbbkba.exe,0,,C:/Program Files/Symantec AntiVirus/SmcGui.exe,User: [redacted],Domain: [redacted]
[system name redacted],Allowed,"C:\Program Files\Common Files\Symantec Shared\ccApp.exe",,Begin: 2012-11-07 06:31:20,End: 2012-11-07 06:31:20,Rule: ,3336,C:/WINDOWS/system32/JavaMachine.exe,0,,C:/Program Files/Common Files/Symantec Shared/ccApp.exe,User: [redacted],Domain: [redacted]
Comments 3 Comments • Jump to latest comment
What log was this in? tamper protection or firewall?
SEP Knowledge Base
Endpoint SWAT
Hmm... I'm not actually sure. We dump all of the logs to syslog and process them there. I can't find these logs in SEPM (though I'm sure they must be in there somewhere). I'll dig around some more and see what I can find.
its a tamper protection alert, create an exception for the same.
Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq
Would you like to reply?
Login or Register to post your comment.