Endpoint Protection

 View Only

  • 1.  Trojan worm zijqqnt.exe automatically added to User-Allowed Application view in exceptions policy

    Posted Jul 10, 2012 07:28 AM
      |   view attached

    Hi

    SEPM 12.1 RU1 (log) found a trojan worm zijqqnt.exe which was placed in quarantine but 15 minutes later it was changed to allowed application. The user is not having admin rights and could not have created an exception rule to allow the application. We accidentally noticed this trojan worm when we were looking at the user-allowed application view in the Exception policy.

    For some reason there was an exception rule created on the client computer which could not be done by the user. With my admin account I was able to  delete the rule and also the quarantined file from the client computer.

    I have created a rule in the exception policy (applied to all computers) to remove the application (see attached image) but when I delete this rule the application will automatically re-appear in the User-allowed Applications list.

    Is there anybody who have seen/had this issue before?

    How can we remove zijqqnt.exe from the user-allowed application view of the exceptions policy?

     

    thanks

    Rogier
     



  • 2.  RE: Trojan worm zijqqnt.exe automatically added to User-Allowed Application view in exceptions policy

    Trusted Advisor
    Posted Jul 10, 2012 07:38 AM

    Hello,

    Even if the User may have / may have not created the exception, always the Administrator Rule would overwrite the User exception.

    In your case, could you please work on the steps provided in the article below and submit the files (including the zijqqnt.exe) to the Symantec Security Response.

    Using Symantec Support Tool, how do we Collect the Suspicious Files and Submit the same to Symantec Security Response Team.

    Hope that helps!!



  • 3.  RE: Trojan worm zijqqnt.exe automatically added to User-Allowed Application view in exceptions policy

    Posted Jul 10, 2012 09:06 AM
      |   view attached

    Hi,

     

    Thanks for your quick response.

     

    I ran the support tool and will send the full report to symantec technical support (my case).

    It looks like the file zijqqnt.exe has been removed from the client computer.

    I have attached an image of the Sonar log which shows the strange behaviour regarding user allowed application. Because of this the application appears in the user-allowed application view of the Exception policy. 
    Do you know if it is possible to remove zijqqnt.exe from the (user-allowed application list/view?

     

    Thanks

     

    Rogier

     



  • 4.  RE: Trojan worm zijqqnt.exe automatically added to User-Allowed Application view in exceptions policy

    Trusted Advisor
    Posted Jul 10, 2012 09:32 AM

    Hello,

    As I see this application is being used in at the user profile.

    Check the Below Article on what could be done -

    How to Block Known Virus Executables that run from %UserProfile% using Application and Device Control

    http://www.symantec.com/docs/TECH131741

    You could also check this Article:

    How to troubleshoot FakeAV if it is not detected

    Hope that helps!!