Endpoint Protection

 View Only

  • 1.  ADWARE.LOP is OLD but whomped SEP!

    Posted Jul 10, 2009 03:52 PM
    Risk name: Adware.Lop
    Event time: 2009-07-10 19:21:14 GMT
    Database insert time: 2009-07-10 19:24:20 GMT
    User: Denise.xxxxxxx
    Computer: VR093240VT6H570
    IP Address: 10.252.xx.xx
    Domain: IVRS-SEP1
    Server: VRDSMSEP2
    Client Group: My Company\Client Computers\Desktop Action taken on risk: Access denied

    ----------------------------------------------------------
    Action: Block
    Test mode: No
    Windows domain: VRNTDOM1
    User Denise.xxxxxxx
    Server name: VRDSMSEP2
    Group name: My Company\Client Computers\Desktop
    Computer Name
    Current: VR093240VT6H570
    When event occurred: VR093240VT6H570

    Event type: Tamper Protection
    Event time: 07/10/2009 14:20:42
    Severity: Minor
    Begin time: 07/10/2009 14:20:42
    End time: 07/10/2009 14:20:42
    Rule name:
    Alert: Yes
    Send SNMP trap:
    Caller Process ID: 1444
    Caller Process Name: C:/Documents and Settings/Denise.xxxxxxx/Local Settings/Temp/awxremocns.tmp
    Target: C:/Program Files/Common Files/Symantec Shared/ccApp.exe
    User name: Denise.xxxxxxx
    Description: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"


    It really hammered hard on that PC, and was hammering hard on SEP.
    Yes, it got in, and totally whomped SEP, the computer won't stay running, keeps shutting down, and while it's up I can barely tell that in their profile, there's dozens of EXE files from the above date and time. SEP ws trying, but lost the war. The screen was filled with TMP and EXE files from 14:20 to 14:33 hours.
    Kind of unreal for reading in the Symantec technical details that this is from 2003! Not even new technology for a bug.
    Wow. a 6 year old whomped it.


  • 2.  RE: ADWARE.LOP is OLD but whomped SEP!

    Posted Jul 10, 2009 04:03 PM
    Only the name is old... the rest is up-to-date:

    Adware.Lop:

    * Initial Rapid Release version September 29, 2003
    * Latest Rapid Release version July 10, 2009 revision 034
    * Initial Daily Certified version September 29, 2003 revision 002
    * Latest Daily Certified version July 10, 2009 revision 032
    * Initial Weekly Certified release date October 1, 2003

    Moreover, this adware component must be manually installed, or installed as a component of another program.

    Regards,




  • 3.  RE: ADWARE.LOP is OLD but whomped SEP!

    Posted Jul 10, 2009 04:09 PM
    Guess what I was meaning in saying it was old - it's not a brand-new, never before seen by man (or woman) virus/worm/trojan.
    Not something that just came out 2 hours ago................
    Something that's been known since 2003 shouldn't whomp any AV IMO.
    New ones, yes.
    The initial definitions that caught this were issues in 2003.
    SEP should have been able to not even allow it in, that being said - should have said "hey, I know you - you are that creep from 2003, get out!" but it seems the file was not only downloaded, but started doing it's thing before SEP realize it was SEP's old friend from back when.

    Say, what ever happened to heuristics, anyway?


  • 4.  RE: ADWARE.LOP is OLD but whomped SEP!

    Posted Jul 10, 2009 04:27 PM
    Yes, but if I were a malware writer I will test my new variant against some common AVs until it is modified enough to be undetected.
    Regarding the PTP, another member recently wrote that it is becoming better than before, I hope so too.

    Cheers,