Endpoint SWAT: Protect the Endpoint Community

Hi all.  I often see these with customer systems, via SEP 12, 14, SEPC, and SEP SBE deployments.  I alwyas wonder - do they indicate that a system compromise occured and somebody dumped active malware onto the computer, having bypassed endpoing security, or, because of the fact that it is a script and is likely launched via visiting a website, it's just showing a file path that scripts normally end up in when they try to launch.  Sorry, early in the morning, may not be wording myself correctly.  Here's a path to a sample detection found this morning: 

I get these all the time, too. However, I typically seem them related to Java and some sort of attempted download. From everything I can see through some investigation it usually appears to come via some hi-jacked Ad server via one of the many sites our users visit.

Hi MIXIT,

Looks like the path is in MS Edge's temp directory.  The important question is, was the file there caught by SEP's AutoProtect or a later manual or scheduled scan-?  If it was AP then the file was stopepd before it could harm the computer.

What was the threatname detected in this example, BTW?

Actually I've had a coffee and am thinking a bit more.  So, I agree if the virus scanner picked it up, it must have been resident on the system already since only AP or IPS/Insight will pick up active stuff (or SONAR I guess, though it's so rare I see SONAR pick up anything), and yet, if a resident file is sitting dormant but then tries to launch, it too will be picked up by Auto-Protect "from the inside out" basically or am I still not caffenated enough? :) 

Ok here's the details requested: 

 Threat Name
JS.Downloader!gen33

 Also of note is that this particular computer gets very frequent alerts related to fake tech support scam websites.  Always seemingly when the person is using the computer, though that alone says nothing since the mere actrivation of the web browser may also call up the script, if said script is set to launch upon browser launch - so no necessarily that the person is visiting sites with malvertising or what not.  

Maybe you should scan that computer manually with SymDiag: https://support.symantec.com/en_US/article.TECH215519.html, just to be sure?

So, I agree if the virus scanner picked it up, it must have been resident on the system already since only AP or IPS/Insight will pick up active stuff (or SONAR I guess, though it's so rare I see SONAR pick up anything), and yet, if a resident file is sitting dormant but then tries to launch, it too will be picked up by Auto-Protect "from the inside out" basically or am I still not caffenated enough? :) 

I suspect this could be due to the current content not having a signature to detect it, but, then new signatures are pulled down later, at which point they detect the file on launch.

Hi again

Just FYI: we have corrected some JS.Downloader!gen33 False Positives today. Do update to the latest-available Rapid Release signatures if you suspect that the files encountered by that computer may be non-malicious.

Nothing found so far, but then again the original file was deleted so it's hard to say if it was one-time only.  I won't bother pursueing further unless a second infection occurs.  Thanks for the info.  If it does re-occur and the source isn't found to be the same then I'll do the SymDiag thing.  

By the way, what is a Symantec Knight?  Sounds fancy, and chivalrous.