Quantcast
Channel: Symantec Connect - Endpoint Protection - Discussions
Viewing all articles
Browse latest Browse all 10484

Help me understand this

$
0
0
I need a solution

SEPM 12.1.4023.4080 and SEP version 12.1.4013.4013 on Windows XP SP3. SEPM is configured to send email notification.

I received the following notification in February 2014:

At least one security risk found:

Risk name: W32.IRCBot
File path: e:\data\system\xp.exe
Event time: Feb 21, 2014 3:26:37 PM
Database insert time: Feb 24, 2014 10:28:16 AM
Source: DefWatch
Description: ""
User: SYSTEM
Computer: NETVISTA
IP Address: 192.168.20.25
Domain: Default
Server: SEPMSERVER
Client Group: My Company\MY Antivirus
Action taken on risk: Details pending
This alarm was generated at Feb 24, 2014 10:30:49 AM (Reporter host Time).

I went to the affected computer to find out what is going on. Show hidden files and folders is selected and Hide protected OS files (Recommended) is UNselected. E drive is a 2GB flash drive. I can't find anything. Data folder does not even exist in the E drive. Then I formatted E (flash drive) just to be sure that the offending EXE file is erased. I also did a full scan on that computer hard drive and flash drive (before formatting the flash drive). Nothing found.

I got another email notification earlier today:

At least one security risk found:

Risk name: W32.IRCBot
File path: e:\data\system\xp.exe
Event time: Mar 11, 2014 2:29:56 PM
Database insert time: Mar 11, 2014 2:30:56 PM
Source: DefWatch
Description: ""
User: SYSTEM
Computer: NETVISTA
IP Address: 192.168.20.25
Domain: Default
Server: SEPMSERVER
Client Group: My Company\MY Antivirus
Action taken on risk: Cleaned by deletion
This alarm was generated at Mar 11, 2014 2:33:16 PM (Reporter host Time).

What is going on here? The user has not used the flash drive anywhere else except that same (NETVISTA) computer that she's been using since February.


Viewing all articles
Browse latest Browse all 10484

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>