Endpoint Protection

 View Only

  • 1.  W97M.Downloader on Macintosh

    Posted Aug 07, 2015 12:24 PM

    Hi,

    I have some SEP for Macintosh clients that are infected with W97M.Downloader, but everytime I run the scan the SEP detect it but do not clean it, y leaves alone. The only way to clean the clients is deleting the files manually.

    In Windows clients the file is sent to quarantine. How I can do to perform the same action in Macintosh clients?.

    This is an example of one of them:

    Risk Information
    Risk name: W97M.Downloader
    Risk severity: 1
    Discovered: 12/15/2004 00:00:00
    Download site: N/A
    Downloaded or created by: N/A
    File or path: \Users\localuser\Library\Mail\V2\Mailboxes\Data\7\8\1\Messages\187634.emlx\EDCSRP earmarking (Update 08_21_2015).doc  
    Application:  
    Version:  
    File size: 0
    Category set: Security risk
    Category type: Unknown
    Hash:  
    Hash algorithm: N/A
    Company: N/A

     

    Risk Detection
    Date found: 08/07/2015 03:33:22
    Description:  
    Actual action: Left alone
    Specified primary action: Clean
    Specified secondary action: Clean
    Detection source: Manual Scan
    Risk detection method: Signature-based Detection
    URL tracking: Off
    Source computer:  
    Event type: Virus found
    Database insert date: 08/07/2015 03:35:39
    Event client date: 08/07/2015 03:33:22
    Permitted application reason: N/A

     

    Risk Reputation
    First seen: Reputation was not used in this detection.
    Reputation: Reputation was not used in this detection.
    Prevalence: Reputation was not used in this detection.
    Performance impact: High
    Overall rating: High
    Detection reason: Antivirus engine
    Minimum sensitivity level: N/A

     

    Side effects

    Nothing to display

     



  • 2.  RE: W97M.Downloader on Macintosh

    Posted Aug 10, 2015 09:55 AM

    Do you have it set to quarantine files that cannot be repaired? See here:

    Customizing Auto-Protect for Mac clients



  • 3.  RE: W97M.Downloader on Macintosh

    Trusted Advisor
    Posted Aug 10, 2015 10:05 AM

    Try changing primary action in the policy to quarantine and secondary action to delete in the policy. Action you've got set is to clean the infection ig it's that deeply routed into the file or the entire file is malicious there is nothing that SEP can attempt to clean on it.



  • 4.  RE: W97M.Downloader on Macintosh

    Posted Aug 10, 2015 11:01 AM

    Hi Brian,

    I have the configuration as the document says.

    I would like to emphasize that only ocurrs with this Security risk.

    Other suggestion?



  • 5.  RE: W97M.Downloader on Macintosh

    Posted Aug 10, 2015 11:08 AM

    Hi GeoGeo,

    Where do I configure the Action settings for Mac?


    The Security Risk action for Windows is configured as you recommend: Quarantine risk / Delete risk, but I couldn't find where to configure this in Mac Settings.

    Thanks in advance!



  • 6.  RE: W97M.Downloader on Macintosh

    Trusted Advisor
    Posted Aug 13, 2015 10:53 AM

    If you go into the antivirus & antispyware policy on the group on the left you should see in the policy a + next to Mac click and it will expand then click on auto protect in this new menu on the right you will see tick boxes tick quarantine files that cannot be rapaired and click ok then wait for machines to get new policy should resolve it for you. 



  • 7.  RE: W97M.Downloader on Macintosh

    Posted Aug 13, 2015 03:17 PM

    Hi GeoGeo


    Actually the option is selected. This is how the configuration Iooks like:

    MAC_Auto-Protect.png

    This is a report of the Security Risk and the action taken, all of them are in Macintosh and left alone

    Action_Summary.png

    More ideas?



  • 8.  RE: W97M.Downloader on Macintosh

    Trusted Advisor
    Posted Aug 17, 2015 06:25 AM

    Can you try it with just the automatically repair infected files un-ticked. It should then effectivly quarantine all files. 



  • 9.  RE: W97M.Downloader on Macintosh

    Posted Aug 18, 2015 06:50 PM

    Same result: It doesn't work



  • 10.  RE: W97M.Downloader on Macintosh

    Trusted Advisor
    Posted Aug 19, 2015 07:34 AM

    hmmmm odd might have to get a case open for this one as doen't seem to be changing your prmary and secondary actions as both of them set to clean infection on your orginal data provided. Unticking the rapair option should have forced it to quarantine as one of those actions. 

    Just a stab in the dark nothing in your exceptions policy for this kind of file type or location?