Endpoint Protection

Hi,

as of today all my windows 7 workstations get virus warning "Packed.Generic.271". Is this a false positive ???

THanks
Stefan
 

was discovered in NOv last year, not a old virus though

http://www.symantec.com/security_response/writeup.jsp?docid=2009-113011-1821-99 

 Its not a false positive. It is a generic detection from bloodhound heuristic.
it is typically a file packaged with many other threats.

is a heuristic scanning , hence could be false positive. Since it is Win7, the virus writeup does notmention of OS used by you.

it says affected

 

Packed.Generic.271 is a heuristic detection for files that may have been obfuscated or encrypted in order to conceal them from antivirus software.

I have 2 Win 7 systems that also have, as of today, started to display the same message - this has happened since today's symantec definition updates were applied and is, I think, an error.

encdec.dll is the file on both systems that is being flagged as infected - is that the same for you stefan2k1?

submit this file to symantec, and check if the files are really infected?

We are also experiencing this in our environment.  With the virus definitions from Feb 23, 2010 r48, you will get the Packed.Generic.271 message after some time, or you can force it by navigating to the System32 directory, then scroll down to "encdec.dll".

We have a laptop that did not pull updates, the latest was Feb 18.  Navigated to the same directory, no problem.  This is a false postive.  The file is not corrupt, something in the latest definitions is making it flag the file.

The file encdec.dll has the same modified date (7/13/2009) as the rest of the files surrounding it in System32.  So it has not been modified (compromised).

So Symantec, what do we do next?

I have a win7 pc that came up with exactly the same thing.

Just noting that I am running Symantec Endpoint Protection 11.0.5002.333

It's starting to look like a Symantec issue and not a sudden infection of systems - thanks to all those who have responded to this thread to let others know what is happeing.

We are also seeing the exact same symptoms.  All Win7 systems showing this file, EncDec.dll, as an infected file.  Please let us know your findings after speaking with Symantec.

All windows 7  machines that we have are showing the same thing

I am on hold with Symantec support,  up to a 80 min wait now.

Looks like there are many people with this issue.
Probobly a false postive but would like to know for sure

This is a false positive. i have two CLEAN installs of Windows 7, installed using Microsoft DVD's, that have been flagged up as infected by SEP11 MR5. These were installed today, and SEP11 is the first program that is added....

Please fix this issue Symantec.

If this is a false positive, which from comments we are assuming it is, it does not reassure us in our choice to renew our Symantec contract for another year.  Combine this with the 2010 year change snafu and it really makes us question our decision.

Since the new year, it has been one thing after another.  Not just pertaining to this specific line of product.  We also use other products of Symantec that end in similar results.

The most horrendus part is the wait time on the phone.  I literally had to forward the call to 3 different phones because the battery would start to die.

DaFireWallMan,

Are you still on hold with TS? :-)  All of our Windows 7 systems now have this issue!

The EncDec.dll file is immediately quarantined, one of the guys here in IT rebooted several systems and now those users are having logon issues...

I submitted it to Security Response. Looks to be a false positive. filename: EncDec.dll machine: Machine result: This file is clean Customer notes: Security Risk FoundPacked.Generic.271 in File: C:Windowswinsxsx86_microsoft-windows-tvencdec_31bf3856ad364e35_6.1.7600.16385_none_e04e6c93efba3643EncDec.dll by: Auto-Protect scan. Action: Quarantine succeeded : Access denied. Action Description: The file was quarantined successfully. Developer notes: EncDec.dll is a harmless part of a worm-generated email message. This file is contained by EncDec.zip

Blah blah, Windows 7, encdec.dll, false positive.

Nobody picked this for "what will today's SEP problem be" so the jackpot will roll over to tomorrow.  Knowing SEP it could be earlier than that

Yes, finally spoke to support.   Security Response Confirmed.   It is a false postive.

But the did not give a ETA for a fix.

Thanks DaFirewallMan, we all appreciate the update.

Anyone know how to create policy based centralized exceptions?
I can create Centralized Exceptions at each client but was hoping to do that via policy at the server an push it out...

Found it!

After doing a definition update, restoring the files and running a scan, we do not show the files as infected any longer.  Has anyone else seen similar results with defs 2/24/2010 r9 or newer?

I set up and assigned a policy based exception, sepm does not seem to be applying that to the clients and the client will not let me create a local exception...
sepm quarantines encdec.dll the second it is copied to the machine so you cannot select it to add to the exception list.

Symantec,
If you are reading any of this just know we are in a real bind here!!

I also have windows 7 so naturally the same thing happened but i tried to remove it from quarantine on norton and it just says there are no actions available for this item. Please how can I save the file? Time is crucial since its threatening to restart to wipe the file out completely.

attached is a screen shot of our definition date, time and version, these have been changed from this morning via LiveUpdate but still EncDec.dll issue remains...

We restored teh files and ran a scan, which showed 0 problems.  When checking the quarantine the files were back in there and no longer were available in Windows Explorer.  My apologies.

Please navigate to and  ftp://ftp.symantec.com/AVDEFS/symantec_antivirus_corp/rapidrelease/sequence/  install the Rapid release Sequence 107836 (Feb 24, 2010 rev 34) It  contains corrected definitions

Prachard,
Could you elaborate...

Install on the SEPM Server or each client?
For Windows 7 x86_32 clients, install the symrapidreleasedefsi32.exe or ...v5i32?
Do we need navup.exe?

I wanted to read the *.txt files for answers but still waiting for download...

If you are having issue on on Client then   install symrapidreleasedefsv5i32.exe    on that client  and if more than on the  on the SEPM put the vd30b022.jdb

Ok... So I dropped the vd30b022.jdb into the C:program files\symantec\symantec Endpoint Protection\data\inbox\content\incoming directory and SEPM did it's thing creating another folder and whatever magic.

The SEPM server and all clients still shows the same virus definition from earlier, is there anything I need to do to push this immediately?

Same results here.

What about SEP clients that update from an internal LU? The 2/24/2010 signatures have already been published to my internal LU servers via LU admin. Is there a way to roll this back to 2/23/2010 definitions? My Windows 7 clients have already got the 2/24/2010 updates for the most part.

Downloading and installing the latest defs package(2010224-009-v5i32.exe) via intelligent updater resolves the erroneous detection in encdec.dll.

Sorry, I'm a little slow on the uptake...

What is Intellegent Updater?

The problem seems to be resolved.  Thank you.

http://www.symantec.com/business/security_response/definitions.jsp

I am still having problems, my SEPM server and all clients still show the same definition date & version after applying the vd30b022.jdb on the SEPM server.
Attached is a screen shot where I try to copy EncDec.dll back to the client and SEPM catches it...

Way too many clients to do apply the v5i32.exe package manually and LiveUpdate doesn't help as it says everything is up to date.

Any ideas?...

I ran the symrapidreleasedefsv5i32.exe on the client pictured above which displayed a successful update message, but still cannot copy EncDec.dll back to that client, users here are primarily virtual err...well thier desktop is and they cannot login with vm view client using pcoip at all, windows rdp client is too slow to use.

Got it!

Have to run the v5i32.exe locally on each client then reboot them, after SEPM behaves and leaves EncDec.dll alone.

New Definitions with corrected False Positive, 24 Feb 2010 rev 35 have posted to the Live Update servers.

Don't have a windows 7 client @ home so can't test, just wanted to get this out there - should be no need to use Rapid Release definitions.

I would understand if these were rapid release definitions but are you telling me not one Symantec employee scanned a Windows 7 installation with those definitions?  Errors happen and we all understand that, but those definition files deleted a signed Windows system DLL file that cannot be recovered without restoring from source media.  Windows 7 is now at over 10% market share, I think it is time to test the definitions against this OS.

John0706

You are unlikely to get any explanation - only a confirmation that the issue being experienced has been corrected.

Hello

I can confirm that we did unfortunately have an FP on EncDec.dll yesterday. Packed.Generic.271 is one of our more aggressive generic detections aimed at a variety of threats such as Trojan.Bredolab and some of the rogue AVs out there. Unfortunately one of the changes we made yesterday to catch some newer threats was a little too aggressive and caused us to also detect this file. By the time we realised that this FP was there, yesterday's LiveUpdate was already being posted. We kicked off a new LiveUpdate as soon as the FP was corrected. This file was in fact part of our clean file set so we're now investigating why this didn't get picked up during our certification. 

Rest assured that we do take FPs very seriously and are already making changes to our processes to avoid FPs like this in future. Our sincere apologies for any inconvenience this may have caused.

Orla
Symantec Security Response