C:\windows\microsoft.net\framework64\v2.0.50727\config\security.config.cch file quarantined after SEP flagged it as security risk 'my pcbackup' Does anyone have details on this?

It's considered a PUP, potentially unwanted program.

"MyPCBackup is a potentially unwanted app that displays ads and popup notifications on the computer."

Here is the writeup from Symantec:

http://www.symantec.com/security_response/writeup.jsp?docid=2014-080811-2516-99

And an another link:

http://www.wikihow.com/Uninstall-MyPC-Backup

A google search will reveal a bunch more links to go thru.

You can remove the application as it count a virus

http://malwaretips.com/blogs/mypc-backup-virus-removal/#uninstall

Run the symhelp tool to clean your system from other virus activity

How to run the Threat Analysis Scan in Symantec Help (SymHelp)

Article:TECH215519

|

Created: 2014-03-03

|

Updated: 2014-07-10

|

Article URL http://www.symantec.com/docs/TECH215519

Hi @Nav,

You can remove the application as it count a virus

It is Grayware / Potenially Unwanted Application (see http://www.symantec.com/security_response/glossary/define.jsp?letter=p&word=potentially-unwanted-application) rather than a virus (http://www.symantec.com/security_response/glossary/define.jsp?letter=v&word=virus).  Consider it more of a "risk" than a "threat." A list of other recently-added risk detections can be seen at http://www.symantec.com/security_response/landing/risks/.

MyPCBackup is definitely annoying, getting installed in unwanted bundles with other noisy PUAs of very limited value and misleading pop-ups.  It will not steal your bank details but many, many customers have requested that Symantec detect and remove it.

Please do update this thread with news of whwther or not this has answered your query!  &: )

Many thanks,

Mick

What I am trying to find is how I got this? I have not installed any new program except for MS patches.

Moreover, I did not find this app installed on my computer.

It only comes from a download.

What usually happens is you download a legit file. When you go to do the install, this junkware comes bundled with it and it's strategically hidden/placed so that there is a check box you may need to uncheckduring the install to NOT install this stuff. Very tricky....

CNET.com is well known for doing this...

The above is correct- I went to a download site as a test recently and unchecked every check box when installing a free download.  This particular PUA still came with along with it and was installed.

Mick

I agree but I have not downloaded anything that day. All that was done, I installed bunch of MS patches through SCCM. I doubt It would come bundled with them :)

It's possible this was on there before definitions were detecting it. New defs came out recently, now it's being detected.

Thanks Brian.

I am being asked to find the root cause. Is it possile somehow to trace back its source?

Do you have something in place like a proxy to monitor web usage, etc?

If only using SEP, this won't be likely as it's "after the fact"

No. I believe I wont be able to dig deep then. My other concern is I do not see MyPCBackup installed on my computer or in control panel. So I was thinking if it is possible that SEP is just flagging the file to have MyPCBackup "type" of risk.

Does the risk log show it was removed/deleted?

Logs show it was Quarantined.

 

Filename - security.config.cch and enterprisesec.config.cch

For the ones I've see, it won't show in Add/Remove programs but the files you reference are there. More specifically, located at:

C:\Users\<username>\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\

@ Brian - I ran a manual scan and it did refer to the path you mentioned.

You should be good to go then if SEP remediated it.

Findiong out how it got there is another story. It typically starts with a download and being bundled with some other legit software.

Thanks Brian. I have marked your first post as Solution which provide detail about the risk.

Thanks :)