Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

dwrcs.exe trojan.gen false positive

  • 1.  dwrcs.exe trojan.gen false positive

    Posted Aug 09, 2010 09:24 AM
    We utilize Dameware for some remote contorlling of PC's and have noticed since this weekend that some of our machines are detecting the dwrcs.exe process as being infected with trojan.gen.  Has anyone else experienced this?


  • 2.  RE: dwrcs.exe trojan.gen false positive



  • 3.  RE: dwrcs.exe trojan.gen false positive
    Best Answer

    Posted Aug 09, 2010 09:53 AM
    Yes, we saw that too. Definitions of 8/6/10 rev 60 are responsible for this detection.  Created an exception for now.   It has been reported to Symantec.


  • 4.  RE: dwrcs.exe trojan.gen false positive

    Posted Aug 09, 2010 10:10 AM
    I think now you can either create an exception or roll back the definitions to old one as a temporary solution..


  • 5.  RE: dwrcs.exe trojan.gen false positive

    Posted Aug 09, 2010 11:37 AM

    We have Dameware but did not run into this that I know of, I have not heard from any of our admins and I just checked my logs and they are clean. I know some versions of Dameware are flagged by PTP though.


  • 6.  RE: dwrcs.exe trojan.gen false positive

    Posted Aug 09, 2010 11:43 AM
    HI,

    Please check if that is also being detected as an application by PTP.

    As dameware is used for remote control of a machine, it will also be detected as a commercial application.

    In that you can create a PTP exception as well.

    Aniket


  • 7.  RE: dwrcs.exe trojan.gen false positive

    Posted Aug 09, 2010 11:59 AM

    I checked the option to ignore when commercial remote app is detected under PTP


  • 8.  RE: dwrcs.exe trojan.gen false positive

    Posted Aug 10, 2010 04:48 AM
    Hi IcY and buzz,

    In your environment, is this DameWare .exe still being detected as trojan.gen with the latest defintiions?  Or has this been resolved? 

    If there is a continuing problem, woukld it be possible to supply SEP risk history logs, submission tracking numbers, and other references via private message?  I will look into the status of the investigation for you.

    Please update the forum thread, when time allows! &: )

    Thanks and best regards,

    Mick


  • 9.  RE: dwrcs.exe trojan.gen false positive

    Posted Aug 10, 2010 11:24 AM

    A recent change in our PTP definitions means that this dwrcs.exe file is now being detected... SEP's PTP component is good at raising a warning flag that remote control software (DameWare, VNC, even our own PCAnywhere) is present on a computer in the network.

    At the moment, the best course is to create a rule in your organization so that PTP knows this particular .exe is OK in your environment. A step-by-step can be found in the "Creating exceptions for TruScan proactive threat scans" section of the "Creating Centralized Exception policies in Symantec Endpoint Protection Manager" article at http://service1.symantec.com/SUPPORT/ent-security.....

    I will add a note to this thread if there is a further change!

    Thanks and best regards,

    Mick



  • 10.  RE: dwrcs.exe trojan.gen false positive

    Posted Aug 11, 2010 09:02 AM
    Symantec's AntiVirus signatures have been updated after additional analysis- I can confirm that known legitimate DameWare files will not trigger any AV detection with current definitions.  The PTP component will note their presence, as above, and exclusions can be created if desired. 

    Thanks again,

    Mick