Hey
I've gotten 2 similar virus alerts recently and it is unclear from where they originate. It's a small business with 1 LAN, 10 users and 15 PCs running Win7Pro 32bit.
One alert says:
Source: External Media
...and there is no guidance on how to interprete that, eg if its USBs & CDs or just a generic term for something.
The other alert is not logged in the client logs, which is odd. I just have the alert email and cloud log.
It is not unheard of that hapless endusers try to remove evidence of errors in order to escape the wrath of some management, though.
-> Deliberate malicious removal of log entries is not a top suspect.
Nevertheless, 2 alerts with similar patterns with no clear indication of their origin is... "interesting".
So, what does
Source: External Media
actually indicate in this context
...and any pointers or information on what kind of relevant activity happens in files like
Infected file: c:\Windows\System32\ 00026202.tmp Removed
Infected file: c:\Windows\System32\ 00009493.tmp Removed
Infected file: c:\Windows\System32\ 00012746.tmp Removed
Infected file: c:\Windows\System32\ 00012652.tmp Removed
Infected file: c:\Windows\System32\ 00032759.tmp Removed
Infected file: c:\Windows\System32\ 00012277.tmp Removed
...is appreciated.
cheers
Erik
1.
----------------------------------
Filename: 00026202.tmp
Threat name: DownloaderFull Path: c:\Windows\System32\00026202.tmp
____________________________
____________________________
On computers as of
2018-10-31 at 12:10:40
Last Used
2018-10-31 at 12:13:22
Startup Item
No
Launched
No
Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.
____________________________
00026202.tmp Threat name: Downloader
Locate
Very Few Users
Fewer than 5 users in the Symantec Community have used this file.
Very New
This file was released less than 1 week ago.
High
This file risk is high.
____________________________
Source: External Media
Source File:
00026202.tmp
____________________________
File Actions
Infected file: c:\Windows\System32\ 00026202.tmp Removed
Infected file: c:\Windows\System32\ 00009493.tmp Removed
Infected file: c:\Windows\System32\ 00012746.tmp Removed
Infected file: c:\Windows\System32\ 00012652.tmp Removed
Infected file: c:\Windows\System32\ 00032759.tmp Removed
Infected file: c:\Windows\System32\ 00012277.tmp Removed
2.
-------------------------------------------------
A high-risk incident was detected .[... edited ...]
Incident Details
00032053.tmp (Trojan.Dropper) detected by Virus scanner
Threat Name
Trojan.Dropper
Threat Type
Virus
File Name
c:\windows\system32\00032053.tmp
Action Required
To resolve this security risk a reboot is required