Endpoint Protection

 View Only
  • 1.  Multiple Bloodhound.Exploit.45 detections on print server

    Posted Sep 03, 2010 12:42 PM
    Since mid August,  we have been experiencing multiple daily heuristic detections of "Bloodhound.Exploit.45" on one of our print servers.  The files detected as risks are always found in C:\Temp and have a naming convention of SPLxxxx.tmp (where xxxx is a string of four numbers/letters ie SPL392C.tmp).   Using Process Monitor I can see that these temp files are being generated by the spoolsv.exe process (the windows print spooler).   The spool folder is set to E:\spool\ in the print server options.

    The server is running Windows Server 2003 SP2, and SEP RU6A.   Definitions are current.  Nobody logs into this machine interactively except for a handful of administrators.  No web browsing or other high risk behavior occurs on the server.     I have submitted files to Symantec for review on two occassions (tracking numbers are 17223368 and 17013426).  I have also opened a case with tracking number 412-654-398 but am not really getting anywhere.   Has anyone encountered this before or have any suggestions?


  • 2.  RE: Multiple Bloodhound.Exploit.45 detections on print server

    Posted Sep 03, 2010 01:07 PM
    I can see where the TSE asked if you had the MS security patch installed on the system, but I do not see the answer.
    Is this server up to date with the MS patches?


  • 3.  RE: Multiple Bloodhound.Exploit.45 detections on print server

    Posted Sep 03, 2010 01:30 PM
    The patch he asked about is deprecated and applied to SP1 systems.   It is not applicable to a system running service pack 2.

    As you can see,  MS05- 053 is included in Service pack 2:  http://technet.microsoft.com/en-us/windowsserver/bb286898.aspx

    We patch every month and this server has all applicable security patches installed.


  • 4.  RE: Multiple Bloodhound.Exploit.45 detections on print server

    Posted Sep 03, 2010 06:49 PM

    The thing about bloodhound detections are that they are heuristic--it's good to get them submitted but it is not always indication of an infection.  You probably got the email from Security Response on submission 17013426 and saw that all three files were falsely identified as malicious.  There would have also been a revision number for definitions after which these files would no longer be flagged.  Usually Rapid Release definitions roll into Certified Definitions within the day.

    sandra


  • 5.  RE: Multiple Bloodhound.Exploit.45 detections on print server

    Posted Sep 04, 2010 02:04 AM
    Bloodhound.Exploit.45 is a heuristic detection for the Graphic Rendering Engine Vulnerability and the Windows Metafile Vulnerability (as described inMicrosoft Security Bulletin MS05-053).

    G
    o to below link and download the patch

    http://www.microsoft.com/technet/security/Bulletin/MS05-053.mspx .


  • 6.  RE: Multiple Bloodhound.Exploit.45 detections on print server

    Posted Sep 07, 2010 12:00 PM
    Sandra.g:  Actually,  I did not receive an email on this particular submission.  Can I check on the status of my submission on the website?   I didn't see a link to track an existing case on the submission form. 

    Also,  the tech support rep mentioned that definitions were modified based on the findings.  However,  these are not static files that are being detected they are temporary files that are constantly being created and removed.   What criteria would they add to the definitions to prevent these from being detected?


  • 7.  RE: Multiple Bloodhound.Exploit.45 detections on print server

    Posted Sep 07, 2010 12:01 PM
    I have already addressed this.  Please read my post above.   MS05-053 is included in Service Pack 2 for Server 2003,  which this system has.


  • 8.  RE: Multiple Bloodhound.Exploit.45 detections on print server

    Posted Sep 07, 2010 04:42 PM

    If you have a technical support case open, you can ask your technician to resend you the closing message.  Basically what's it's saying is "Symantec is falsely identifying this file as a virus."  I am not aware of any way to access submissions externally.

    I don't work in Security Response so I don't have the back-end knowledge for what is being changed within the definitions to not detect these apparently benign files... and if I did, I probably could not say  smiley

    sandra