Endpoint SWAT: Protect the Endpoint Community

Hi all, 

SEPM reported an alert yesterday, and both the alert email itself, plus the Details view from within Monitors > Risk, show nothing about the path of this file.  It was picked up via a Scheduled Scan based on file signature hash - a 2 year old variant too so not fancy - and shows up as (without the quotes) "> >support.exe"..  I realize a Scheduled Scan could have found something only in memory and not on disk, perhaps that's why it shows no file path, but I'm surprised SEP doesn't say someting like "in memory" or something. 

I do plan to upgrade SEPM to 14.1 pretty soon but generally speaking, file-based detections in the past have always shown me the file path too.  

What's up with that moneky business? 

For what it's worth, the alert email indicates Quarantined: 1, and Deleted: 1.  Yet, Monitors > Risk inside SEPM only shows Quarantine and no mention of Deleted.  SEP on the client side has no files in it's Quarantine.  

No action was taken by me (the only admin) to delete the file from Quanrtine if that helps.  Also, the user was SYSTEM when I view the alert details so maybe it Deleted it after Quarantining it, based on some criteria I don't understand? 

Does it show 'Unavailable' or it's just blank? If 'Unavailable' then that's because it was caught before it hit the disk. If blank, no idea.

I didn't see a place to edit my original but just wanted to add that the Deleted item turned out to be a Tracking Cookie found after I ran a manual full scan last night.  

Also the virus name was: Heur.AdvML.C, so a generic detection that I've seen many times.  My main concern is that it was found on a server with user's home directories - the question I can't answer is whether this file was in a user foldedr or on the actual server - SEP being of no help in listing where the file was found.  

Hi Brian, if you mean the File Path column from the summary view in Monitors, it only states >>support.exe

The details view of same shows: 

Risk Information

I haven't seen this before. Definitely looks odd and I don't see anything in the documentation. Maybe someone from symc will weigh in on it.

Hope so.  Interesting to note that the file size was 0.  And for a 2-year old known file, that's kind of odd.  Feels more like a bug in SEP.  It's also a big of an oxymoron to have a 2 year old file hash be seen as a heuristic detection, though perhaps it's just to say that Symantec has heuristically detected a billion variants since May 2016 and haven't really given a name to each :)

Just an update, don't know why I didn't think to do this but we had an additional detection again on the ssame computer, and so I took the file hash and put it into VirusTotal and it came back as support.exe which seems to be associated with QuickBooks, which is in fact running on the server.  Not that I'd draw conclusions from this potential coincidence but 0/67 companies found this hash to be malware, so I'll live with that.  Funny enough, SEP sees it as an advanced heuristic malware, yet Symantec, under Virus Total, sees it as clean.  I'm guessing Symantec is just providing Norton-level data to VirusTotal perhaps.  

Still dosn't explain why each detection (3 in total since including when I posed), never actually put any file in quarantine even tuough it says it did, and how I can never find the support.exe file, except in the QB folder, but manually scanning the file itself never produces a detection, yet, each time I get an alert, it was from a Scheduled Scan.  

I can only conclude by guessing that "> >support.exe" as the dettection data indicates, is an unpacked version runing in memory perhaps with different file characteristics than it's dormant on-disk version and the Scheduled Scan is finding it there, Shrug.  

Hey Mixit, 

Heuristic scanning is tricky, it looks for odd ball things in a file. My anaolgy is someone walks into Mcdonalds in the middle of summer with a huddie and a crow bar walks up to the counter and orders a HAPPY MEAL and walks out. LOL

We saw something similar recently, but the file info was just underscores.

Risk Information

Has anyone else seen something like this before? We are running SEPM 14.2.

We are running version 14.2 build 1015 and I've had a simliar event happen with a file: >>file_BIN_PVEXPRESS.EXE. No original location for the file and no entry locally on the machine's SEP in the quarantine list. Did some checking on the file and it's a file found in a software product that we use. Could it be a hit for a reference to the file somewhere? 

I just saw this thread and it's been bothing me for a while.

When a virus file is deleted / cleaned from inside an archive file, I could see no proper file path documented in the warning infomation, like you. Only the Archive Name of the archive that was cleaned or deleted is shown. This is not enough information, and you are left wondering where was the archive was actually located. I have been forced to seach for them manually and have found them that way. How annoying and what a massive oversight. The worst nightmare maybe that Symantec had been cleaning / deleting / quaratining files within archives for years without proper notification before I noticed. Month after month making swizz cheese of your archives and incubating big problems for the future. Or am I not seeing the whole picture? I'm just saying...Is that whats happening?

LOL sorry I took until now to see your post - Connect forums' email alert feature has been busted for years so I only get 10% of the email notifications telling me my post was replied to.  

Still laughing at the analogy.  

30 seconds later, still laughing.  Ok time to click Save.  

That is a fascinating point.  I have no comment as I don't have a clue.  

But very interestingly, as you mention that part about opening archive files to scan (like zip files), I do notice that when I go to run a QuickBooks update on the server, the patch process ALWAYS FAILS.  I wonder if Symantec has been going in there and deleting the file (support.exe), and this has been tripping up the process.  Since my alerts are always this >>Support.exe and VirusTotal says the file hash is a QB file with 0 / 67 security companies flagging as bad, probably this is what'shappeng.  Oh man, rarely after decades of IT support do I get excited about stuff but that would be so cool if that was the problem all along.  

If I figure out that's what it is, I will track down this thread and post a big thanks.  Might be a while though, I just got done dealing with that frigging Microsoft patch KB4480970 causing share folders to stop working on all 2008 R2 servers (yeah).  

We are getting this almost daily. 1-4 machines per day in an environment with over 500 machines. Every risk has a different Hash no file or path just >>___________. What is this and how do you trace it? I can't submit it to Symantec because there is no file to attach. It has been going on for over a year. We are also running SEPM 14.2, but it has happened with previous versions. Our first occurance was January 2018.

We are also seeing file paths/application names beginning with >> and no other useful information.