Endpoint Protection Small Business Edition

Hello,

Running Version: 12.1.2015.2015 for about 100 users.  This morning some of them are receiving ALERTS regarding W32.Xpiro.D.  I beleive these are false positives.  The reason for this is, I have 2 brand new, recently imaged machines with zero apps installed. Yesterday I installed SAV, followed by Office 2013 from a network share. I connected them to the internet for updates (of both) and immediately began recieving hundreds of ALERTS.

Am I alone in this?

Windows 7- Fully patched and current.

SAV server: 12.1.2015.2015

SAV users:12.1.671.4971  (and cannot be upgraded to 2105 at this time)

Submit false positives here:

https://submit.symantec.com/false_positive/

I would also get a case open with Symantec so they can investigate this immediately.

open  support ticket, submit the file and ask to check for flase positive.

can you put the file under exception till your question is answered?

 

Brian81, False positive submitted.

Pete, the ONLY way to stop these alerts is to use an exception like "Ignore all EXE's" which as you know is completely ill advised.

I'm afraid when our 12:30PM scan kicks off (2 hrs from now) that it's going to be a busy day telling clients to ignore this as hundreds of popups hit...

The one machine on my desk for example has hit about 200 "positives" so far, and show's no sign of stopping.  It's finding Adobe, .NET stuff, SysWOW64 directories, Synaptics Touchpad, Java, Intel drivers...you name it.

Just checked my SEPMs but nothing of interest going on...

So it is not one particular file but multiple?

Brian: Yes, hundreds and counting..  Nearly every .EXE on the PC regardless of directory (except itself, of course).  What scares me most is, it's freshly imaged by me, and only added Office 2013 from a network share, and never saw the internet until yesterday, where only 2 things ran. M$Updates (for the machine and Office), and SAV updates... I/E was not even opened still.

Update: So these files are being "cleaned"... and already seeing one ill effect possibly:

I can right click COMPUTER (aka MY Comp...) and click PROPERTIES, but it never opens....

Apps and files seem to be fine. I can right click and get Properties of other shortcuts, and files...but not from COMPUTER... I can even Rt Clk the drive itself and get results....

Just putting it out there..

We are having issues with this virus today, too.  The noted Full Scan and Symantec Power Eraser don't seem to be doing anything to resolve this for us.

Hi,

Thank you for posting in Symantec community.

Check this technical writeup for X32.Xpiro.D

http://www.symantec.com/security_response/writeup.jsp?docid=2011-031108-4407-99&tabid=3

If you fell it's spreading fast then log a case with support and if required security response team can look into that.

@Mark:

I called in a case, and submitted 6 false positives and was told no one else has called about it.. (yet?) I suggest opening a case.  They are quick to respond. (Kudo's SAV!)

In the meantime, they sent some directions on how to remove the W32.Changeup (Similar) and started following the directions.  The directions pointed out closing ports on our network but those were closed ions ago,as well as Microsoft updates being done (KB967715, of which I had no record of install, but no updates were available?) then I ran the "Rapid Response Definitions", and got error messages stating it wasnt successful.  Attempted to follow the next two deployment methods via TECH 104979 and TECH102607 articles, and results were the same.

It was at this point that I felt re-imaging this freshly built machine was easier to do. Hopefully no residual affcects follow.... (I am aware how this might be fruitless, but worth the efforts).

 

I was nervous earlier about our company-wide virus scan kicking off at 12:30 EST but it's 12:50 and I haven't gotten a call yet.... so maybe it was infected contrary to my comments above????

(PC never saw internet outside of Office 2013 updates, and SAV updates only, [no other apps exist outside of default Win stuff] including NEVER launching I/E on the machine.

Thanks - we do have a call open.  So far, only suggestions for us have been latest rapid-release defs and a safe-mode full scan.  Not helping, at this point.

Hi,

Could you please share the support case number? We can try to look into that.

Case #04714649

and 04713788,  Looks like the rep from SAV called while I was in my meeting too.

 

Hi,

I have requested engineer to call you back & hope now you are connected.

I have requested engineer to call you back.

For what it's worth, we picked up a bunch of W32.Xpiro.D detections on a specific Windows Server 2008 R2 (running SEP 11.7) in one of our regions.  The detected files all had the extension VIR, which leads me to believe they have (had?) a competitor's AV product that simply renamed these files, and a recent definition update in SEP caused these to be detected again.

Also, we got an alert on a network appliance when another user in a different region (after the above alerts occurred) visited a compromised site which resulted in a fake calc.exe being downloaded.  Submitting that payload, Symantec came back with an update to the W32.Xpiro.D risk in Rapid Release Sequence number 145651.  MD5 on the payload was b907b04e3ceb9e348bc43304e06873bd, and the Security Response Tracking number was 31065546.

I know this isn't directly linked to the OP's issue, but I figure this recent activity on the W32.Xpiro.D risk may provide insight to possible new/improved detection mechanisms causing the detections to occur.

As per my previous posts, I performed a full reimage using the the MDT2012 Win7-64bit image I created months ago and successfully deployed to dozens of machines to date (none of which are having this issue)

So I rebuilt the machine again, and only connected to the internet to update Microsoft O/S, then install and update Office 2013, and install and update SAV.

The first reboot after SAV was installed, I'm immediately greeted with W32.Xpiro.D.

The first infection:  Setup.exe: Path C:\MSOCache\All Users\{90150000-0012-0000-0000-000000FF1CE}-C\

then:  Ose.exe: same path, and increasing in qty.. All currently in a CLEANED status, which is basically destroying each EXE from ever running again making the machine a paperweight at best.

Calling tech support again.

Thanks DMaltby I typed the above while you were posting and missed it. Thanks for the info.

 

Well my solution for my company was to switch from Symantec to Microsoft forefront with our sccm agreement with Microsoft. Symantec is a garbage product.

It saved my company by scanning the master boot record and all drives. Symantec would not clean and would only delete the exe affected.

Good luck. SCEP is about as awful as it gets with AV only and it's limited reporting capabilities. I'm sure it saves your business a good chunk of money though. That's about the only good thing about SCEP. Speaking from personal experience...