Endpoint Protection

 View Only

  • 1.  Suspicious cloud 5 in user Temp directory

    Posted Jan 27, 2015 11:43 AM

    This morning we have over 15 alerts for suspicious cloud 5 malware in AppData\Local\Temp directory

    File/Entry - tmp files

    Scan - Auto-protect

    I have submitted some files to Symantec Incident Reposnse team and hoping it to be a false positive. But will appreciate any help or in case anyone else experienced same recently.

    Regards,

    Nav



  • 2.  RE: Suspicious cloud 5 in user Temp directory

    Posted Jan 27, 2015 01:14 PM

    All the suspicious files have common namng convention BITxxxxx.tmp



  • 3.  RE: Suspicious cloud 5 in user Temp directory

    Posted Jan 27, 2015 01:35 PM

    This comes from SONAR using reputation. Does opening the risk log in SEPM show any more info? Like the download URL?

    They would be best suited to tell you though if it's an FP.



  • 4.  RE: Suspicious cloud 5 in user Temp directory

    Posted Jan 27, 2015 01:45 PM

    Risk name: Suspicious.Cloud.5 Risk severity: 1 Discovered: 01/09/2010 00:00:00 Download site: N/A Downloaded or created by: c:\windows\system32\svchost.exe File or path: C:\Users\XXXXXX\AppData\Local\Temp\BIT792A.tmp Application: BIT792A.tmp Version: File size: 875088 Category set: Malware Category type: Heuristic Virus Hash: 87517712A091DE4400B9E492FE88BBB483A1706BB243D5063AEE53E1125A6BED Hash algorithm: SHA-256 Company: N/A



  • 5.  RE: Suspicious cloud 5 in user Temp directory

    Posted Jan 27, 2015 01:48 PM

    Tough to say from that. looks like the malware could've injected itself into svchost.exe and is now trying to call home.



  • 6.  RE: Suspicious cloud 5 in user Temp directory

    Posted Jan 27, 2015 01:54 PM
    If you use process explorer do you see any sub process under svchost


  • 7.  RE: Suspicious cloud 5 in user Temp directory

    Posted Jan 28, 2015 06:15 AM

    Hi @Nav,

    I expect those are legitimate detections.  Run SymHelp with Threat Analysis Scan to see if there is anything else suspicious on that computer.

    If you know what program they are from, trust it and feel these detections are False Positives, please do ensure that you submit them to the False Positives portal.

     

    Symantec Insider Tip: Successful Submissions!

    https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions

    ...

    For files that you believe to be safe but are currently being detected, use Symantec's False Positive Submission Site regardless of your contract. Full details on False Positives can be found in the article Best Practice when Symantec Endpoint Protection is Detecting a File that is Believed to be Safe.  Also note: be careful with terms!  The Whitelisting portal is not the same as the False Positives portal (see below for details on whitelisting).