Endpoint Protection

 View Only

  • 1.  Risk name: Microsoft® Windows® Operating System?

    Posted May 01, 2017 10:57 PM

    just got this alert on one computer running W2012R2, SEP12.1.6MP5, managed by SEPM with version V14MP1. Any idea what happens and what to do?

    Unbenannt.jpg

    thanks guys!



  • 2.  RE: Risk name: Microsoft® Windows® Operating System?

    Broadcom Employee
    Posted May 01, 2017 11:32 PM

    is SONAR settings set to agressive?

    submit the file on submission portal base don the entitlement

    https://submit.symantec.com/websubmit/essential.cgi for essential customer

    https://submit.symantec.com/websubmit/bcs.cgi for BCS customer

     

    also suggest to work with the technical support team for exclusion considering the file is detected as false positive.

     



  • 3.  RE: Risk name: Microsoft® Windows® Operating System?

    Posted May 02, 2017 05:41 AM

    Hi minli,

    Thanks for the post.  This does sound unusual and should be investigated.  I recommend that you submit the file to Security Response's False Positives portal if you suspect that this file is not malicious. 

    Best Practice when Symantec Endpoint Protection is Detecting a File that is Believed to be Safe
    http://www.symantec.com/docs/TECH98360

    Odd as it sounds, sometimes that name being listed is correct and accurate- those instances are due to "System Change Events" i.e. changes to DNS or the hosts file.


    Symantec Endpoint Protection 12.1: Manager Risk distribution summary report lists "Microsoft Windows Operating System" as a risk name
    http://www.symantec.com/docs/TECH161493

    Please do keep this thread up-to-date with your progress!  Feel free to PM me the False Positive tracking number so I can expedite it from our side.



  • 4.  RE: Risk name: Microsoft® Windows® Operating System?

    Posted May 02, 2017 07:37 AM

    This is being detected by the SONAR component. Can you share what your settings for SONAR look like?



  • 5.  RE: Risk name: Microsoft® Windows® Operating System?

    Posted May 02, 2017 08:42 AM

    had this too on a customers system today - servermanager.exe and found as risk SONAR.UACBypass!gen3 - same hash as the thread opener

     

    https://virustotal.com/de/file/ffb509f4a4e6619fb4535de95a41e7bdf08ac919ac564378e14411440ed9c6a9/analysis/

     

     

     



  • 6.  RE: Risk name: Microsoft® Windows® Operating System?

    Posted May 02, 2017 09:28 AM

    I also had a customer that got the same alert. Looks like a false positive? 

    Can you confirm Mick?



  • 7.  RE: Risk name: Microsoft® Windows® Operating System?

    Posted May 02, 2017 11:02 AM

    Having exactly the same detection here too



  • 8.  RE: Risk name: Microsoft® Windows® Operating System?

    Posted May 02, 2017 12:00 PM

    This is being investigated now as a high priority. 



  • 9.  RE: Risk name: Microsoft® Windows® Operating System?

    Posted May 02, 2017 10:07 PM

    thanks all.

    i am in contact with server admin to get this exe file so I can submit.

    this alert happened since 28 Apr, and only on W2012R2 I believe. 



  • 10.  RE: Risk name: Microsoft® Windows® Operating System?
    Best Answer

    Posted May 03, 2017 04:33 AM

    Hello minli and all other followers of this thread,

    Good news- the investigation is now complete.  This detection has been confirmed to be a False Positive and has been corrected.  Run LiveUpdate to receive PTP/SONAR/BASH definitions with the version May 02, 2017 rev: 01 (20170502.001) in order to avoid this FP.

    Please do update this thread with confirmation that this has resolved the detections for you!

     



  • 11.  RE: Risk name: Microsoft® Windows® Operating System?

    Posted May 03, 2017 09:33 PM

    thank you all especially Mick for the great support!