Endpoint Protection

View Only

Back to discussions

Possible False Positive?

1. Possible False Positive?

0 Recommend
Migration User
Posted Jan 06, 2010 09:18 AM

Reply Reply Privately
I am starting to see a large amount of "Trojan Horse" detections residing in "C:\Windows\winsxs\temp\PendingRenames". In one case I had the machine re-imaged, but the "threat" is still being detected. The Machines in question are Vista SP2, however I am not seeing this 100% wide spread yet.

Any Ideas?
2. RE: Possible False Positive?

0 Recommend
Rafeeq
Posted Jan 06, 2010 09:20 AM

Reply Reply Privately
whats the action taken on these ? quarantinied? or deleted?
3. RE: Possible False Positive?

0 Recommend
Migration User
Posted Jan 06, 2010 09:32 AM

Reply Reply Privately
They are deleted, I would change the primary action so that I can get a sample however since this is a vague detection (Trojan Horse) I don't want to risk not deleting other Trojan Horses.
4. RE: Possible False Positive?

0 Recommend
M Strong
Posted Jan 06, 2010 09:36 AM

Reply Reply Privately
Is the symptom spreading at all?
What are the filenames being detected as 'Trojan'; do they seem like legitimate windows files??
The windows event viewer on the machine in question may have a record of the filename
5. RE: Possible False Positive?

0 Recommend
Rafeeq
Posted Jan 06, 2010 09:43 AM

Reply Reply Privately
hope its not deleting legitimante files
can you paste the complete path and the file name its deleting.

6. RE: Possible False Positive?

Recommend

Migration User

Posted Jan 06, 2010 10:03 AM

The files it is detecting are:

C:\Windows\winsxs\Temp\PendingRenames\bb4e1478bc8eca015a320000680a2807.x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e_scecli.dll_149e0f7b

C:\Windows\winsxs\Temp\PendingRenames\370bd0f5ad8eca01ae030000cc05b00b.x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e_scecli.dll_149e0f7b

C:\Windows\winsxs\Temp\PendingRenames\cf6d3bb6858eca015a320000f40f9c0b.x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e_scecli.dll_149e0f7b

C:\Windows\winsxs\Temp\PendingRenames\593cafcc808eca015a320000240c1803.x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e_scecli.dll_149e0f7b

C:\Windows\winsxs\Temp\PendingRenames\6a24f9215a8eca015a320000640f6405.x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e_scecli.dll_149e0f7b

C:\Windows\winsxs\Temp\PendingRenames\bc9600e6578eca01ae030000640c280c.x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e_scecli.dll_149e0f7b

C:\Windows\winsxs\Temp\PendingRenames\281492f04d8eca016a07000058059405.x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e_scecli.dll_149e0f7b

C:\Windows\winsxs\Temp\PendingRenames\68543d394c8eca015a320000fc04c409.x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e_scecli.dll_149e0f7b

C:\Windows\winsxs\Temp\PendingRenames\152c8cae4b8eca015a3200000412e011.x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e_scecli.dll_149e0f7b

C:\Windows\winsxs\Temp\PendingRenames\49d2547f468eca012d0800003405c005.x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12_scecli.dll_149e0f7b

C:\Windows\winsxs\Temp\PendingRenames\c6370202428eca015a3200008411d812.x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e_scecli.dll_149e0f7b

C:\Windows\winsxs\Temp\PendingRenames\4bfd51383e8eca01e42f0000440e9004.x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e_scecli.dll_149e0f7b

C:\Windows\winsxs\Temp\PendingRenames\f01fa4d6398eca0160320000800f5403.x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e_scecli.dll_149e0f7b

C:\Windows\winsxs\Temp\PendingRenames\2074a061288eca016f3200005809c80c.x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e_scecli.dll_149e0f7b

These are just a few.

7. RE: Possible False Positive?

0 Recommend
Migration User
Posted Jan 06, 2010 10:18 AM

Reply Reply Privately
There were few Vulnerabilities with Scecli.dll
So patch you system with all latest windows security updates and run full scan or run mrt scan

Start - run - MRT
8. RE: Possible False Positive?

0 Recommend
Migration User
Posted Jan 06, 2010 01:57 PM

Reply Reply Privately
Okay so I have been narrowing this down. Apparently the image is SP1, and this risk is detected during an upgrade to SP2.
9. RE: Possible False Positive?

0 Recommend
Migration User
Posted Jan 13, 2010 08:55 AM

Reply Reply Privately
We see exactly the same problem.

Now, upgraded clients seem OK. But it is discomforting, to say the least(!), that SEP might be messing with the SP2 upgrade.

Hopefully we can get confirmation from Symantec that this is not hurting anything.

Endpoint Protection

Possible False Positive?

Migration UserJan 06, 2010 09:18 AM

RafeeqJan 06, 2010 09:20 AM

Migration UserJan 06, 2010 09:32 AM

M StrongJan 06, 2010 09:36 AM

RafeeqJan 06, 2010 09:43 AM

Migration UserJan 06, 2010 10:03 AM

Migration UserJan 06, 2010 10:18 AM

Migration UserJan 06, 2010 01:57 PM

Migration UserJan 13, 2010 08:55 AM

1. Possible False Positive?

2. RE: Possible False Positive?

3. RE: Possible False Positive?

4. RE: Possible False Positive?

5. RE: Possible False Positive?

6. RE: Possible False Positive?

7. RE: Possible False Positive?

8. RE: Possible False Positive?

9. RE: Possible False Positive?