Endpoint Protection Cloud

Hey

I've gotten 2 similar virus alerts recently and it is unclear from where they originate. It's a small business with 1 LAN, 10 users and 15 PCs running Win7Pro 32bit. 

One alert says: 
Source: External Media

...and there is no guidance on how to interprete that, eg if its USBs & CDs or just a generic term for something.

 

The other alert is not logged in the client logs, which is odd. I just have the alert email and cloud log.
It is not unheard of that hapless endusers try to remove evidence of errors in order to escape the wrath of some management, though.
-> Deliberate malicious removal of log entries is not a top suspect. 

Nevertheless, 2 alerts with similar patterns with no clear indication of their origin is... "interesting".

So, what does 
Source: External Media
actually indicate in this context

...and any pointers or information on what kind of relevant activity happens in files like

Infected file: c:\Windows\System32\ 00026202.tmp Removed
Infected file: c:\Windows\System32\ 00009493.tmp Removed

Infected file: c:\Windows\System32\ 00012746.tmp Removed

Infected file: c:\Windows\System32\ 00012652.tmp Removed

Infected file: c:\Windows\System32\ 00032759.tmp Removed

Infected file: c:\Windows\System32\ 00012277.tmp Removed

...is appreciated. 

cheers

Erik

 

 

1. 

----------------------------------

 

Filename: 00026202.tmp

Threat name: DownloaderFull Path: c:\Windows\System32\00026202.tmp

 

____________________________

 

____________________________

 

 

On computers as of 

2018-10-31 at 12:10:40

 

Last Used 

2018-10-31 at 12:13:22

 

Startup Item 

No

 

Launched 

No

 

Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.

 

 

____________________________

 

 

00026202.tmp Threat name: Downloader

Locate

 

 

Very Few Users

Fewer than 5 users in the Symantec Community have used this file.

 

Very New

This file was released less than 1 week  ago.

 

High

This file risk is high.

 

 

____________________________

 

 

Source: External Media

 

Source File:

00026202.tmp

 

____________________________

 

File Actions

 

Infected file: c:\Windows\System32\ 00026202.tmp Removed

Infected file: c:\Windows\System32\ 00009493.tmp Removed

Infected file: c:\Windows\System32\ 00012746.tmp Removed

Infected file: c:\Windows\System32\ 00012652.tmp Removed

Infected file: c:\Windows\System32\ 00032759.tmp Removed

Infected file: c:\Windows\System32\ 00012277.tmp Removed

 

 

 

2. 

 

-------------------------------------------------

 

 

A high-risk incident was detected .[... edited ...]

Incident Details

00032053.tmp (Trojan.Dropper) detected by Virus scanner

Threat Name

Trojan.Dropper

Threat Type

Virus

File Name

c:\windows\system32\00032053.tmp

Action Required

To resolve this security risk a reboot is required

 

 

 

Hi Erik, Generally external media means something like a USB stick or removable external HDD, not CD/DVD. Those files are *.tmp files, and temporary by nature. They are generically created by applications and should be cleaned up. Sometimes, they aren't. Those files are being infected by whatever infected external media was inserted into a PC and then SPE SBE did its job and cleaned the files by removing them. What I would do if I was you is narrow this down and find the PC that this was generated from, and go speak to the user. Let them know whatever they have put into the PC has a virus on. And possibly look at an application to prevent this. Thanks!

Hey, thanks for answering.

The user in question say they were at lunch at the time, which makes this .. "interesting". 

That is why the accuracy of the Symantec heading: "external media" is of some relevance.

BYOD & external USB device blocking is not really an option. Logging and profiling external/ temporary devices on LAN and clients would be interesting though.

cheers

 

this thread is ongoing and a solution is not yet at hand.. watch this space...

Hi,

Can you open a support ticket for this, that way we can monitor it better?