Video Screencast Help
Search Video Help Close Back
to help
New in the Rewards Catalog: Vouchers for "Symantec Technical Specialist" and "Symantec Certified Specialist" exams.

SCCM 2007 False Negative

Updated: 13 Oct 2010 | 10 comments
Minedu's picture
Minedu
0 0 Votes
Login to vote
This issue has been solved. See solution.

Has anyone had what I suspect as a "False Negative" with SCCM 2007?

We have recently installed SCCM 2007 (with all the latest service packs) onto a W2K8 R2 server however SEP has started reporting the following files as Trojan.gen:
tools.exe
changecache.exe
located "C:\Program Files (x86)\Microsoft Configuration Manager\AdminUI\XmlStorage\Tools"

We are running version 11.0.6000.550 with the latest update.

To mitigate the issue we have added a local exclusion but would be nice to not have to. Not a big issue as we are only running one instance of SCCM but I'm sure we aren't't the only organisation that use this product

Cheers.

discussion Filed Under:
, , , ,

Comments

Mick2009's picture
06
Sep
2010
1 Vote +1
Login to vote
Mick2009
Symantec Employee

Please supply more information.....

HI Minedu,

Just a clarification on terminology: if SEP is reporting files as infected and you believe they are safe, it's referred to as a "false positive."  False negative would be a malicious file that SEP scanned and was missed. 

This article is the best place to begin: Best Practice when Symantec Endpoint Protection or Symantec AntiVirus is Detecting a File that is Believed to be Safe (http://service1.symantec.com/support/ent-security....)

I am not aware of any FP that affects the file names that you have listed, but file names are a poor indicator of the file's true nature.  Can you list the unique MD5 hash value of each?  With that information I can go and check for simiiar reports.

It would also be good if you could export SEP risk history that shows those files being detected and attach it to this community thread.  I will keep an eye out for it!

Thanks and best regards,

Mick

With thanks and best regards,

Mick

autclock's picture
07
Sep
2010
0 Votes 0
Login to vote
autclock

About SCCM false positive

Mick,

I have the same quarantined files as Minedu. How to detect if these files are actually infected.

Mick2009's picture
07
Sep
2010
0 Votes 0
Login to vote
Mick2009
Symantec Employee

MD5's?

Hi Autclock,

Can you let me know the MD5 hash values of those files?

The links, etc above will also help....

Thanks and best regards,

Mick

With thanks and best regards,

Mick

autclock's picture
07
Sep
2010
0 Votes 0
Login to vote
autclock

I don't have these tools

I don't have these tools mentioned in the links. Must I contact support to get these tools.

autclock's picture
07
Sep
2010
0 Votes 0
Login to vote
autclock

I have the hash value

What would be the best method of letting you know the hash value.

hakkerjak's picture
07
Sep
2010
0 Votes 0
Login to vote
hakkerjak

Same reported infection

We are getting the same reported infection.  I believe this is part of the right-click tools.

*changecachesize.vbs md5
fd7ae021ffdcbacf79ee73a67ec7d7e9

Thanks for your help Mick2009.

 

AttachmentSize
riskeventsexport.xls 23.5 KB
Minedu's picture
07
Sep
2010
0 Votes 0
Login to vote
Minedu

File Details

Hi Mick2009
 
Thanks for your response, this is as you described a “false positive”  my mistake.

Below are the MD5 hashes and attached is the risk report.
 
changecache.exe
MD5
98f552c986c8ed4bc489b1a676b542de
 
Tools.exe
MD5
47e7bdb33b4ccca0c9fed98a4ed9b8ea

Thanks.

AttachmentSize
Risk Log.xlsx 9.59 KB
bjohn's picture
07
Sep
2010
0 Votes 0
Login to vote
bjohn

Same issue here, and yes, I

Same issue here, and yes, I believe it is part of the right-click tools. ( i just ignored it.)

I also had  "Setup.exe" from Akeni instant messenger detected as trojan.gen last week.

Mick2009's picture
08
Sep
2010
0 Votes 0
Login to vote
Mick2009
Symantec Employee

Good News

Thanks all- that's the information I needed.

changecache.exe  (MD5 98f552c986c8ed4bc489b1a676b542de) was initially detected as Trojan.Gen, but a False Positive was confirmed upon analysis.  Current certified definitions from Symantec will no longer detect this file.

tools.exe (MD5 47e7bdb33b4ccca0c9fed98a4ed9b8ea) was initially detected as Trojan.Gen, but a False Positive was confirmed upon analysis.  Current certified definitions from Symantec will no longer detect this file.

So: those files were briefly detetced as Trojan.Gen, but downloading the latest definitions will ensure they are recognized as clean.

Changecachesize.vbs (md5 fd7ae021ffdcbacf79ee73a67ec7d7e9) - I cannot find any record of Symantec receiving a submission of this file.  If this .vbs is believed to be safe and is being detected, please do submit it to Security Response for analysis according to the procedure in the links above.  Engineers can take a second look and change detection if appropriate.

Please do let the forum community know if this resolves the issue or if there is any additional question which needs attention.

Thanks and best regards,

Mick
 

With thanks and best regards,

Mick

SOLUTION
Minedu's picture
12
Sep
2010
1 Vote +1
Login to vote
Minedu

Hi Mick, I can confirm that

Hi Mick,

I can confirm that this is now working, I have removed the local exception and no more alerts about trogans.

Thanks for you help.

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
258,666