Endpoint Protection

 View Only

  • 1.  Symantec detected "io.sys and msdos.sys" as WS.Reputation.1

    Posted Apr 12, 2018 07:57 AM

    Hi Team,

    We have SEPM version 14. We have found symantec has detecting files  "io.sys and msdos.sys" as WS.Reputation.1 same has been qurantined and deleted by SEPM. but still we are see those file in system but size is 0 kb.

    Also we have observed those files(io.sys and msdos.sys) are created by process "ntvdm.exe". and this file belong to mircosoft and genuine process

    Date size File
    03/14/2018 07:34 AM GMT 0 IO.SYS
         
    03/14/2018 07:34 AM GMT 0 MSDOS.SYS
         

    Symantec Logs:

    Filename Risk Original Location Computer Current Location Primary Action Secondary Action Action Description Date and Time
    msdos.sys WS.Reputation.1 c:\ D00070-0061 Quarantine Restart Required - Quarantine Restart Required - Delete Restart Required - The file was quarantined successfully. 12/4/2018 10:19
    io.sys WS.Reputation.1 c:\ D00070-0061 Quarantine Restart Required - Quarantine Restart Required - Delete Restart Required - The file was quarantined successfully. 12/4/2018 10:18
    msdos.sys WS.Reputation.1 c:\ D00070-0061 Quarantine Quarantine Delete Performed Post-Reboot Risk Processing. 12/4/2018 9:54
    msdos.sys WS.Reputation.1 c:\ D00070-0061 Quarantine Quarantine Delete Performed Post-Reboot Risk Processing. 12/4/2018 9:54

    Hash value of files io.sys and msdos.sys : E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 

    Files path: C:/ io.sys and C:/ msdos.sys

    Please confirme what basis symantec has detecting those files io.sys and msdos.sys as WS.Reputation.1. and let us know the reason?



  • 2.  RE: Symantec detected "io.sys and msdos.sys" as WS.Reputation.1

    Posted Apr 12, 2018 10:13 AM

    Could be from a legit file:

    https://www.virustotal.com/#/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855/detection

    Is download insight detecting these as 'unknown'?



  • 3.  RE: Symantec detected "io.sys and msdos.sys" as WS.Reputation.1

    Posted Apr 12, 2018 02:35 PM
    Yes i have already checked on virus total its not showing malicious. But symantec Av detected those files io.sys and msdos.sys as WS.Reputation1. Mey i know what is the reason behind this? Pls help for the same


  • 4.  RE: Symantec detected "io.sys and msdos.sys" as WS.Reputation.1

    Posted Apr 12, 2018 02:35 PM
    Yes i have already checked on virus total its not showing malicious. But symantec Av detected those files io.sys and msdos.sys as WS.Reputation1. Mey i know what is the reason behind this? Pls help for the same


  • 5.  RE: Symantec detected "io.sys and msdos.sys" as WS.Reputation.1

    Posted Apr 12, 2018 02:36 PM

    It's from Download Insight:

    https://www.symantec.com/security_response/writeup.jsp?docid=2010-051308-1854-99

    ...which uses reputation to make a determination on whether a file is malicious or not.



  • 6.  RE: Symantec detected "io.sys and msdos.sys" as WS.Reputation.1

    Posted Apr 12, 2018 02:36 PM
    As i have already shared symantec Av logs


  • 7.  RE: Symantec detected "io.sys and msdos.sys" as WS.Reputation.1

    Posted Apr 12, 2018 02:36 PM
    As i have already shared symantec Av logs


  • 8.  RE: Symantec detected "io.sys and msdos.sys" as WS.Reputation.1

    Posted Apr 13, 2018 03:03 AM

    We are checking reputation on Virus total, Malware analysis open source tools like Hybride analysis, sandbox.pikker.ee



  • 9.  RE: Symantec detected "io.sys and msdos.sys" as WS.Reputation.1

    Posted Sep 21, 2018 03:41 AM

    Io.sys is the microsoft file that stores the information of driver files and if you want to fix this error then you have to scan your PC from any known malware progarm.