Trojan Horse Detected by SEP 11 under a Closed Network
Created: 15 Nov 2012 | Updated: 15 Nov 2012 | 9 comments
Hi,
Recently SEP 11 has detected Trojan horse on 2 files in my client's Windows 2003 Server in a closed network. One of the file is named .opmndat in C:\product\10.1.3.1\OracleAS_1\opmn\logs\states which seems to be a log file created during Oracle Services start up. I tried to open the file with notepad and there is only a numerical string. It is already quarantined. Another is called DWH3.temp in C:\Windows\Temp which is no longer exist after the SEP alert.
Why such files could be detected a Trojan horse and how to prevent these alerts from SEP 11? Grateful if anyone can help. Thank you!
Cilei
Discussion Filed Under:
Comments 9 Comments • Jump to latest comment
What version of 11.x? This thread is similar:
https://www-secure.symantec.com/connect/forums/gen...
Is liklely a false positive
SEP Knowledge Base
Endpoint SWAT
Hi Brian,
Thanks for your prompt reply. The version is 11.0.7000.975. I am going through the thread.
Cilei
This is a known issue. Eac hnew version has improvements but I still believe this may be a false poositive.
SEP Knowledge Base
Endpoint SWAT
Yes Brian81
when will get a permanent fix for DWH.tmp False Positive.. Its a huge headache..........
Mohan Babu
moglie20@gmail.com
+91 9884382160
Your satisfaction is very important to us.If you find above information helpful or it has resolved your issue...please mark it accordingly :)
Hi Brian,
Is the same applies to the Oracle log file named '.opmndat' ?
Cilei
Here's an official article on the subject:
With thanks and best regards,
Mick
Mick2009SYMANTEC EMPLOYEE
I agree with you but still there is no fix as per the documentationyou mentioned above.
Files re-detected during Defwatch scan
Fix ID: 2067778
Symptom: DWHxxxx.tmp files are being re-detected when Defwatch scan is running.
Solution: Fixed some scan issues, making the scan faster. Also created a separate folder to rescan Quarantine items that can be used to create exceptions.
But no fixes mentioned in the document and its crazy
On every release they updating the KB article stating that DWH.tmp issue has been improved in latest build in scan performance and all but nothing happens. and its showing as infection trojan.gen, trojan.gen2, trojan.maljava and all. people who using SEP getting scared because of this false positive. We need to fix this instead of going around do nothing and simple workaround not to scan quarantine when a new definitions arrives.
Expecting a permanent fix for this.
Mohan Babu
moglie20@gmail.com
+91 9884382160
Your satisfaction is very important to us.If you find above information helpful or it has resolved your issue...please mark it accordingly :)
Upgrading to SEP 12.1 will make a dramatic improvement. Otherwise, it is safe to know that these DWH events under SEP 11 are a known issue.
With thanks and best regards,
Mick
Please contact Support and have a case created and take proper assistance.
Phone numbers to contact Tech Support:-
Regional Support Telephone Numbers:
United States: 800-342-0652 (407-357-7600 from outside the United States)
Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
United Kingdom: +44 (0) 870 606 6000
India: Toll-Free 000 800 4401 456 directly
IDD call: +61 2 8220 7111
Additional contact numbers: http://www.symantec.com/business/support/contact_techsupp_static.jsp
Customer Care Contact Numbers for Licensing Issues:-
http://www.symantec.com/support/assistance_care.jsp
How to create a new case in MySupport
http://www.symantec.com/business/support/index?page=content&id=TECH58873
Where to upload a suspected File?
https://submit.symantec.com/websubmit/gold.cgi
Would you like to reply?
Login or Register to post your comment.