Endpoint Protection

Hi all,

Nothing that I'm aware of has been changed in the config of how our Symantec Anti-virus (10.1.8.8000) works but for the past couple of days we have started to get hundreds of virus alerts reporting things like below:

Alert: 806

Virus name: Suspicious.Lop.2

Computer: LAPTOP

IP address: 10.10.10.10

File/Path: C:/Masters/Sysprep/mysysprep.exe

User: SYSTEM

Alert date/time in reporting server time: 2010-04-17 13:42:08

Database insert date/time: 2010-04-21 09:52:02

Source: Auto-Protect scan

I have read into what this kinda means - but my main question is has something been turned on for this to just start happening or has something been added to one of the latest virus definitions for this?

Kind regards,

Anthony

Plus why would this be a threat:

Alert: 814

Virus name: Suspicious.Lop.2

Computer: DESKTOP

IP address: 10.10.10.10

File/Path: C:/Documents and Settings/All Users.WINDOWS/Application Data/Symantec/Symantec AntiVirus Corporate Edition/7.5/APTemp/APQ1F7.tmp

User: USER

Alert date/time in reporting server time: 2010-04-21 12:05:3

Has no one got an idea on this?

I'm putting it down as maybe a mistake in the virus defs signatures?

Hi

How many clients are affected?

Have you tried to contact support?

http://securityresponse.symantec.com/en/sg/security_response/writeup.jsp?docid=2010-020300-4007-99

havent yet responed to support

but about 600 of our clients are report of Suspicious.Lop.2 on files I believe are not at fault!

Have you increased the Proactive Threat Scan Sensitivity or Blood Hound heuristic Level ?

Vikran, on SAV 10.1.8.8000 don´t have Proactive Threat Scan.  Thats funcionality is the only SEP, isn´t it?

Please submit these files to Security Response for analysis.

http://www.symantec.com/business/security_response/submitsamples.jsp

If you do not have an account then submit the files to ThreatExpert for analysis.

http://www.threatexpert.com/default.aspx

We can then see if these files are true threats or not.

Vikran - auto-protect advanced the heuristic level is set at default level which I believe has always been set to that.

I have now submitted our sysprep file to the 2 locations above to see what happens.

I just cant understand why Symantec would be complaining about its own .tmp file! C:/Documents and Settings/All Users.WINDOWS/Application Data/Symantec/Symantec AntiVirus Corporate Edition/7.5/APTemp/APQ1F7.tmp

I had this from Symantec:

mysysprep.exe is falsely identified as malicious. To fix this problem, please install the latest available definitions by following the instructions at the end of this email message.

Ok..so it was false positive and it has been fixed right. however is this sysprep.exe a utility customised by you or is it by some vendor..coz i haven't seen anybody else with this issue ( on the forum)