Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

Symantec is showing this notification: [SID: 28239] System Infected: Fake Plugin Activity 2 attack blocked

  • 1.  Symantec is showing this notification: [SID: 28239] System Infected: Fake Plugin Activity 2 attack blocked

    Posted May 13, 2015 04:58 PM

    [SID: 28239] System Infected: Fake Plugin Activity 2 attack blocked. Traffic has been blocked for this application: \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\CHROME.EXE

    One of my client is experiencing this issue when using browsers either Chrome or IE, and it keeps popping up when trying to use internet which preventing him to browse because it's being blocked by Symantec AV. Need assistance about this issue and how to fix this for a total removal.

    Thanks and regards.



  • 2.  RE: Symantec is showing this notification: [SID: 28239] System Infected: Fake Plugin Activity 2 attack blocked
    Best Answer

    Posted May 13, 2015 08:26 PM

    What plugins do they have installed within Chrome? Have you tried completely disabling them?

    Within the alert what is the remote IP address?

    More info here:

    http://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=25752



  • 3.  RE: Symantec is showing this notification: [SID: 28239] System Infected: Fake Plugin Activity 2 attack blocked

    Posted May 13, 2015 08:35 PM

    Even I remove or disable the plugins in Chrome, it still gets back. It also happens when I'm using Internet Explorer and the plugins installed in IE can't be disabled because it is grayed out. 

     

    fake plug.png

    fake plug2.png



  • 4.  RE: Symantec is showing this notification: [SID: 28239] System Infected: Fake Plugin Activity 2 attack blocked

    Posted May 13, 2015 09:01 PM

    The 10.x.x.x address is internal, no? Proxy server?



  • 5.  RE: Symantec is showing this notification: [SID: 28239] System Infected: Fake Plugin Activity 2 attack blocked

    Posted May 13, 2015 09:22 PM

    Yes, I guess it is an internal address and we are using a proxy server.



  • 6.  RE: Symantec is showing this notification: [SID: 28239] System Infected: Fake Plugin Activity 2 attack blocked

    Posted May 13, 2015 09:30 PM

    So because SEP is not proxy aware it will block it and not allow you browse the web.

    Have you tried scanning the machine with something like combofix or adwcleaner?



  • 7.  RE: Symantec is showing this notification: [SID: 28239] System Infected: Fake Plugin Activity 2 attack blocked

    Posted May 13, 2015 09:36 PM

    I don't try any other cleaner or malware remover. Is it safe to use those?

    Thanks.



  • 8.  RE: Symantec is showing this notification: [SID: 28239] System Infected: Fake Plugin Activity 2 attack blocked

    Posted May 13, 2015 09:45 PM

    Yes. They're no different than any other. If SEP scans aren't detecting it then you should use something else.

    The symhelp tool offers a threat analysis scan, so you can try that as well

    TECH215550: 'About the Threat Analysis Scan'



  • 9.  RE: Symantec is showing this notification: [SID: 28239] System Infected: Fake Plugin Activity 2 attack blocked

    Posted May 14, 2015 01:46 AM

    I already resolved my problem. Deleted all the unwanted program that installed in my system and resetting browsers configurations. Thanks



  • 10.  RE: Symantec is showing this notification: [SID: 28239] System Infected: Fake Plugin Activity 2 attack blocked

    Posted Jun 08, 2015 03:13 AM

    I tried Combofix its a great tool but after using it dont forget to remove it using this command

    ComboFix /Uninstall


    Use this link to know how to use this program:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix