Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

W32.Xpiro.D false positives?

Created: 10 Jul 2013 | 21 comments

Hello,

Running Version: 12.1.2015.2015 for about 100 users.  This morning some of them are receiving ALERTS regarding W32.Xpiro.D.  I beleive these are false positives.  The reason for this is, I have 2 brand new, recently imaged machines with zero apps installed. Yesterday I installed SAV, followed by Office 2013 from a network share. I connected them to the internet for updates (of both) and immediately began recieving hundreds of ALERTS.

Am I alone in this?

Windows 7- Fully patched and current.

SAV server: 12.1.2015.2015

SAV users:12.1.671.4971  (and cannot be upgraded to 2105 at this time)

Operating Systems:

Comments 21 CommentsJump to latest comment

Brɨan's picture

Submit false positives here:

https://submit.symantec.com/false_positive/

I would also get a case open with Symantec so they can investigate this immediately.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

pete_4u2002's picture

open  support ticket, submit the file and ask to check for flase positive.

can you put the file under exception till your question is answered?

BeachwoodBruin's picture

Brian81, False positive submitted.

Pete, the ONLY way to stop these alerts is to use an exception like "Ignore all EXE's" which as you know is completely ill advised.

I'm afraid when our 12:30PM scan kicks off (2 hrs from now) that it's going to be a busy day telling clients to ignore this as hundreds of popups hit...

The one machine on my desk for example has hit about 200 "positives" so far, and show's no sign of stopping.  It's finding Adobe, .NET stuff, SysWOW64 directories, Synaptics Touchpad, Java, Intel drivers...you name it.

Brɨan's picture

Just checked my SEPMs but nothing of interest going on...

So it is not one particular file but multiple?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

BeachwoodBruin's picture

Brian: Yes, hundreds and counting..  Nearly every .EXE on the PC regardless of directory (except itself, of course).  What scares me most is, it's freshly imaged by me, and only added Office 2013 from a network share, and never saw the internet until yesterday, where only 2 things ran. M$Updates (for the machine and Office), and SAV updates... I/E was not even opened still.

BeachwoodBruin's picture

Update: So these files are being "cleaned"... and already seeing one ill effect possibly:

I can right click COMPUTER (aka MY Comp...) and click PROPERTIES, but it never opens....

Apps and files seem to be fine. I can right click and get Properties of other shortcuts, and files...but not from COMPUTER... I can even Rt Clk the drive itself and get results....

Just putting it out there..

MarkA.P.'s picture

We are having issues with this virus today, too.  The noted Full Scan and Symantec Power Eraser don't seem to be doing anything to resolve this for us.

Chetan Savade's picture

Hi,

Thank you for posting in Symantec community.

Check this technical writeup for X32.Xpiro.D

http://www.symantec.com/security_response/writeup.jsp?docid=2011-031108-4407-99&tabid=3

If you fell it's spreading fast then log a case with support and if required security response team can look into that.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

BeachwoodBruin's picture

@Mark:

I called in a case, and submitted 6 false positives and was told no one else has called about it.. (yet?) I suggest opening a case.  They are quick to respond. (Kudo's SAV!)

In the meantime, they sent some directions on how to remove the W32.Changeup (Similar) and started following the directions.  The directions pointed out closing ports on our network but those were closed ions ago,as well as Microsoft updates being done (KB967715, of which I had no record of install, but no updates were available?) then I ran the "Rapid Response Definitions", and got error messages stating it wasnt successful.  Attempted to follow the next two deployment methods via TECH 104979 and TECH102607 articles, and results were the same.

It was at this point that I felt re-imaging this freshly built machine was easier to do. Hopefully no residual affcects follow.... (I am aware how this might be fruitless, but worth the efforts).

I was nervous earlier about our company-wide virus scan kicking off at 12:30 EST but it's 12:50 and I haven't gotten a call yet.... so maybe it was infected contrary to my comments above????

(PC never saw internet outside of Office 2013 updates, and SAV updates only, [no other apps exist outside of default Win stuff] including NEVER launching I/E on the machine.

MarkA.P.'s picture

Thanks - we do have a call open.  So far, only suggestions for us have been latest rapid-release defs and a safe-mode full scan.  Not helping, at this point.

Chetan Savade's picture

Hi,

Could you please share the support case number? We can try to look into that.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Chetan Savade's picture

I have requested engineer to call you back.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

BeachwoodBruin's picture

and 04713788,  Looks like the rep from SAV called while I was in my meeting too.

Chetan Savade's picture

Hi,

I have requested engineer to call you back & hope now you are connected.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

dmaltby's picture

For what it's worth, we picked up a bunch of W32.Xpiro.D detections on a specific Windows Server 2008 R2 (running SEP 11.7) in one of our regions.  The detected files all had the extension VIR, which leads me to believe they have (had?) a competitor's AV product that simply renamed these files, and a recent definition update in SEP caused these to be detected again.

Also, we got an alert on a network appliance when another user in a different region (after the above alerts occurred) visited a compromised site which resulted in a fake calc.exe being downloaded.  Submitting that payload, Symantec came back with an update to the W32.Xpiro.D risk in Rapid Release Sequence number 145651.  MD5 on the payload was b907b04e3ceb9e348bc43304e06873bd, and the Security Response Tracking number was 31065546.

I know this isn't directly linked to the OP's issue, but I figure this recent activity on the W32.Xpiro.D risk may provide insight to possible new/improved detection mechanisms causing the detections to occur.

BeachwoodBruin's picture

As per my previous posts, I performed a full reimage using the the MDT2012 Win7-64bit image I created months ago and successfully deployed to dozens of machines to date (none of which are having this issue)

So I rebuilt the machine again, and only connected to the internet to update Microsoft O/S, then install and update Office 2013, and install and update SAV.

The first reboot after SAV was installed, I'm immediately greeted with W32.Xpiro.D.

The first infection:  Setup.exe: Path C:\MSOCache\All Users\{90150000-0012-0000-0000-000000FF1CE}-C\

then:  Ose.exe: same path, and increasing in qty.. All currently in a CLEANED status, which is basically destroying each EXE from ever running again making the machine a paperweight at best.

Calling tech support again.

Bcooper0723's picture

It saved my company by scanning the master boot record and all drives. Symantec would not clean and would only delete the exe affected.

BeachwoodBruin's picture

Thanks DMaltby I typed the above while you were posting and missed it. Thanks for the info.

Bcooper0723's picture

Well my solution for my company was to switch from Symantec to Microsoft forefront with our sccm agreement with Microsoft. Symantec is a garbage product.

Brɨan's picture

Good luck. SCEP is about as awful as it gets with AV only and it's limited reporting capabilities. I'm sure it saves your business a good chunk of money though. That's about the only good thing about SCEP. Speaking from personal experience...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.