FireAMP and Symantec SEP competing over virus files

Skjalg Eggen · ‎08-25-2016

getting tons of Malware detection on the same file on same client.

Detected W32.817749988C-95.SBX.TG as dwh3026.docm(8177499..a2b605)[PE Executable] .

Created by ccSvcHst.exe, Symantec Security Technologies 10.2.1.2 (0b3fe2f..eae844)[PE Executable] executing as u@NT AUTHORITY.

The file was quarantined.

It would apear that SEP is the creator of the file in temp and FireAMP triggers on it.

I see this on multiple clients, we have exluded SEP in FireAMP and FireAMP in SEP.

Any one experiencing the same issue?

kwalcott · ‎09-13-2016

Hello Skalg,

Excluding the Symantec folder or process does not exclude the files that the process spawns from the fireAMP connector. These files will still be looked up unless they are excluded.

For example if you can see a pattern for the files created in the temp folder by SEp then you can craft an appropriate wildcard exclusion for these file.

e.g.: c:\users\*\appdata\temp\dwh*.docm.

For some context on why this particular sample was convicted by FireAMP, the detection name indicates that it scored a ThreatScore of 95 when analyzed in the AMP ThreatGrid Sandbox environment.

For even more third party details see: https://www.virustotal.com/en-gb/file/817749988c9544a6141cef718684b86fa17345d2f309cf5390faf3c4a8a2b605/analysis/1471299106/

The sample contains Macros which download additional files and instructions scoring a 39/56 detection ratio on VirusTotal at the time of this post.

Let me know if this helps you understand the issue.