Endpoint Protection

I've seen two separate postings with identical issues to what I'm seeing with responses that didn't seem to resolve the issue:

https://www-secure.symantec.com/connect/forums/9129837exe

https://www-secure.symantec.com/connect/forums/sep-scanning-possible-rootkit

In summary, I have a user running Vista with Symantec Endpoint Protection installed on the computer.  A full daily scan is ran and within the first 5 minutes, it pauses for about 10-20 seconds on the following files:

c:\windows\hide_evr2.sys
c:\windows\9129837.exe
c:\windows\system32\VirusRemoval.vbs
c:\windows\system32\NewVirusRemoval.vbs

The files does not exist on the file system.  I mounted a forensic image and review the files thru EnCase and do not see any trace of such a filename existed on the disk or any entry in the MFT marked as deleted entries or even overwritten.  Is SEP scanning for only existing files or is it also scanning a list of known bad as well?  Obviously the scan came back with nothing but the fact that it paused at the above entries caused the user to google the file name and comes back with hits with alarming rootkit information.  Is SEP scan also looking for a list of known bad file names that may have never even existed on the computer?

i do not think SEP scans file which are not present on the system.

Hope yu have checked for hidden files.

If it is/was a rootkit, those files would not likely be visible even if the option to view hidden files was checked. You would need to locate the master process first. Your best bet is to try a rootkit scanner such as IceSword, GMER, or Rootkit Revealer

I'm using EnCase to peruse the filesystem from a forensic image of the disk so hidden or deleted entries of a file isn't relevant because it will show up here.  Rootkit can hide the process yes, but still has to execute from a file binary.  I have yet to see a rootkit that removes itself from the filesystem and MFT and still maintain persistence - it would have to be some advanced rootkit.  My question is more pointing to how SEP performs the scan - how it enumerate the file listing to scan and if this list included some known list of bad files that may not exist on the MFT of the device being scanned.  Most likely need a product SME.

You can try using Symantec Endpoint Recovery Tool and scan your HD from a LiveCD. This should provide a conclusive answer whether or not this is a rootkit issue.

Is SEP scanning for only existing files or is it also scanning a list of known bad as well?

Is this a full daily scan, or a Quick Scan on startup?  I've had a case in the past similar to what you describe regarding the latter, which scans common load points for known threats.  I can't find a SEP-specific document, but this document (regarding SAV) says the following:

A Quick Scan is a fast scan of the following:

• Files loaded into memory
• Common virus and security risk loading points, including registry keys and startup files

sandra

Hi everyone

So I found this thread that summarizes the problem I am also facing.

A few days back, my computer (Win7) hanged when I clicked on skype twice and some other things on firefox, my system hanged badly and I forced shut it down (after task manager could not close things).

Then it could not startup and after repairs and system restore, it became extremely slow.

So I reinstalled Win7 (twice, coz the first time I forgot to format clean).

Then, Symantec scan shows these weird 4 files listed above for 15-30 seconds but reports nothing. I also tried other scanners (Avira, AVG etc.) but nothing major.

Also the registries which should be bad according to

http://www.symantec.com/security_response/writeup.jsp?docid=2006-110710-2700-99&tabid=2

seem all correct.

What should I do? Is it really a threat (I think it is) or does SEP look for these files?

Thanks

Mohit

Scan the system in safe mode with the latest virus definition.

What action have SEP taken on the files?

Any suspicious file submit it to Symantec team for analysis.

The QuickScan is showing you, very briefly, what it's looking for. If it isn't finding it, then that's a good thing.

sandra

I ran in safe mode after live-updating but still no files were caught.

I see these weird filenames both in active-scan and full-scan.

Thanks

Mohit

Is it possible to get a screen capture?

I'm still pretty confident that what you're seeing is what the scan is looking for when it does a check of common load points. I thought it was limited to Quick Scan but it's possible the Full Scan also is checking for these things (it would not surprise me).

sandra