Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Trojan.Gen.2 removal for a Mac

Created: 31 Jul 2014 | 11 comments

SEP 2.1.2015

MacOS 10.9.4

On 7/23 and 7/31 I've been notified that I have Trojan.Gen.2. Seems to be via the Auto Protect function vs. a Full Scan.

I've read some old forum's that says this is a PC only problem, but it's still annoying to get the messages that this has been found and it cannot be removed.

Here's a copy of the History info: Screen Shot 2014-07-31 at 9.54.33 AM.png

Any suggestions on what I can do to quarantine or remove this? SEP fails when it attempts to remove it.

Operating Systems:

Comments 11 CommentsJump to latest comment

chin_aust's picture

Rn this tool to clean it

How to run the Threat Analysis Scan in Symantec Help (SymHelp)

Article:TECH215519  |  Created: 2014-03-03  |  Updated: 2014-07-10  |  Article URL http://www.symantec.com/docs/TECH215519
JimPo's picture

SymHelp appears to be a Windows only tool. Is there a Mac version or process?

.Brian's picture

Have you tried a manual removal?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

JimPo's picture

I am assuming that manual removal /deletion of the files referenced in the history is what you are describing, correct? Probably not a big deal for the com.vsearch files. I'm concerned about the other ones as I saw one of the SEP warning messages said it was associated with the Apple "Report Crash" utility. I'm not sure how to validate that. Have you got any ideas on that?

 

.Brian's picture

Seems that may be a false positive? Does anything come up if you run a scheduled/manual scan?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

JimPo's picture

Thanks for the suggestion. It looks like things are getting worse before they get better. It took a couple of hours for the scheduled scan to run. I'm including the new history file for comparison to this morning's results. You'll see that more items, from the same general area, have been added to the infection list. Screen Shot 2014-07-31 at 5.53.52 PM.png

Any more suggestions?

JimPo's picture

to Chin_aust - SymHelp is a Windows only tool. Is there a Mac version?

.Brian - I am assuming that manual removal /deletion of the files referenced in the history is what you are describing, correct? Probably not a big deal for the com.vsearch files. I'm concerned about the other ones as I saw one of the SEP warning messages said it was associated with the Apple "Report Crash" utility. I'm not sure how to validate that.

sandra.g's picture

There is a similar tool for Mac called GatherSymantecInfo. It might be helpful in trying to track down the full file path where the detected files are located. Bear in mind, though, that 12.1.2 is unsupported on Mac OS X 10.9.

Gathering information about Symantec products on a Macintosh using GatherSymantecInfo
http://www.symantec.com/business/support/index?page=content&id=TECH134761

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

sandra.g's picture

If you're really running SEP 12.1.2 on Mac OS X 10.9... 12.1.2 not supported on that OS.

System Requirements for Symantec Endpoint Protection, Enterprise and Small Business Editions, and Network Access Control 12.1.2 and 12.1.3
http://www.symantec.com/business/support/index?page=content&id=TECH195325

So where exactly are the files located? You may have to hover the mouse over the file location to see it. You may see more info in the Mac Console logs.

Detections within a compressed file (like a zip file), within the Java cache, or within a Time Machine backup may not be able to removed.

Re: Virus found in TimeMachine, yet not allowed to delete
https://discussions.apple.com/message/21391417

Anti-Virus checker/scanner has detected a virus. Is it related to Java?
http://java.com/en/download/help/cache_virus.xml

Hope this helps,

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

JimPo's picture

So I guess that 12.1.2015 as it says on the About SEP is really 12.1.2   That's a bummer.

I've been religiously doing product upgrades automatically. In fact, it automatically upgraded me to 12.1.2.

There doesn't appear to be an automated mechanism to get to 12.1.4   I am assuming that I must buy that release? I can't find any way that I am entitled to that product or any way to download it without paying.

Any assistance on that would be appreciated.

MichaelD50's picture

Hi JimPo,

If you upgrade to OS X 10.9 from a previous version of OS X and you leave an older SEP Mac client (12.1.2015) intact, it will appear to be functioning normally but it's a false assumption. Symantec's guidance on this is to fully remove the SEP client before updating the OS; this applies to either PCs or Macs.

http://www.symantec.com/docs/TECH134203

You need to use the SEP Mac removal tool, reboot and install either managed or self-managed SEP Mac 12.1 RU4 (12.1.4013 or 12.1.4100). Then I would perform a full scan with latest definitions and report back your findings.

You can download the SEP Mac removal tool from:

ftp://ftp.symantec.com/misc/tools/mactools/RemoveS...

You asked how to get the updated version. How did you get the version you are running? Was it provided by your employer? If so, touch base with your IT department and tell them you need SEP for Mac RU4. LiveUpdate does not update the actual version of the software, only the definitions.

Cheers!

MJD