Endpoint Protection

 View Only

  • 1.  securityrisk.orphaninf detections

    Posted May 12, 2011 10:14 AM

    Lately, the Symantec Anti-Virus software in more than 100 of our PC started to alert on "securityrisk.orphaninf".

    Each of these PC has a home folder in a departmental file server. The infected AutoRun.inf files are residing in the home folders. For some reasons, the Symantec AV client on the PC is unable to delete the infected AutoRun.inf files in the home folder.

    A full virus scan on the departmental file server is unable to detect these infected AutoRun.inf files (even though the infected AutoRun.inf files are in that file server).

    Questions:

    1. Is anyone experiencing the same situation in the past couple of days?

    2. Can I safely assume that the "SecurityRisk.orphaninf" detections we are seeing is actually a clear-up routine from a previous infection which has now been included in the latest virus definitions?



  • 2.  RE: securityrisk.orphaninf detections

    Trusted Advisor
    Posted May 12, 2011 10:29 AM

    Hello,

    This is a new detection that was rolled out last month week with the latest virus definitions.  If you see this detection it is because the autorun.inf had a reference to a file that could not be found.  This can happen for any number of reasons.  While it is an attack vector for some malware,  securityrisk.orphaninf only means that the file referenced in the autorun.inf is missing and the autorun.inf gets removed.  

     

    SecurityRisk.OrphanInf
     
    Updated: 4 April 2011 4:19:45 AM
     
     
    Do you see this issue happening Continuously?
     
    Please Scan the machines again, and I am sure you may not these detections again.


  • 3.  RE: securityrisk.orphaninf detections

    Posted May 12, 2011 10:32 AM

    http://www.symantec.com/security_response/writeup.jsp?docid=2011-040403-3248-99

    The Technical Details tab will provide more information regarding this particular detection. 

    What action is SAV taking on the file when detected? This should be noted in the client's risk log and/or scan log. 

    Is Auto-Protect detecting the file on the PC's, or is it only detected during a system scan?

    When running the full scan on the server hosting the PC's home folders, is the file present in the directory before the scan is launched?

    Based on the write-up for this detection, it is possible that the autorun.inf files are remnants of a previous risk. It is not uncommon for risks to utilize autorun. Typically you can edit the autorun.inf file and see what process or executable it is attempting to launch.



  • 4.  RE: securityrisk.orphaninf detections

    Posted May 12, 2011 04:50 PM

    Are the detections showing a file path of "Unknown"?

    Are you utilizing Hummingbird software or another software to mount these mapped drives and/or are these mapped drives hosted on a Unix server?

    If you can answer yes to any of the above I would recommend to open a support case as soon as possible.

    If you have the following information and data available it will expedite the process of having this issue analyzed by our technicians.

    Complete version build of the Hummingbird software (if used).

    Complete version build of SAV/SEP that is having the detections.

    If you are running SEP, you can gather the SEP Support Tool for the technician to review. This would include the relavent logs and SEP build information.



  • 5.  RE: securityrisk.orphaninf detections

    Posted May 12, 2011 09:25 PM

    Kurt,

    Please see my reply to your questions below:

    Kurt: What action is SAV taking on the file when detected? This should be noted in the client's risk log and/or scan log. 

    Andy: On different PCs, SAV is taking either of the following actions: Quarantined, Left Alone or Deleted. However, the file path is stated as "Unavailable".

    Kurt: Is Auto-Protect detecting the file on the PC's, or is it only detected during a system scan?

    Andy: Symantec is detecting the file on "Start-up" scans or during "Manual Scans".

    Kurt: When running the full scan on the server hosting the PC's home folders, is the file present in the directory before the scan is launched?

    Andy: When running the full scan, the file is present in the directory before the scan is launched. However, the scan did not picks up the infected AutoRun.inf files. Only the PCs do.



  • 6.  RE: securityrisk.orphaninf detections

    Posted May 13, 2011 08:30 AM

    Sounds like you're experiencing a newly discovered issue with the Eraser engine. I would recommend to open a case with support to get further assistance. I'm not sure if there are any fixes or workarounds available yet, but I know our team is working to get this resolved asap.

    The technician that assists you will most likely want to know which build of SAV/SEP you are running on your systems, as well as if you are using any software to mount these network drives and what version of that particular software is in use. 

    Most likely once an update is available to remediate this issue it will be made available through the LiveUpdate download.

    Regards.