The other day I started noticing that our SEP clients were saying that install_flash_player.exe was a Trojan Horse. I got a lot of alerts like the below;
At least one security risk found: Risk name: Trojan Horse File path: C:\Documents and Settings\username\My Documents\Downloads\install_flash_player.exe Event time: 2010-01-28 09:35:13 GMT Database insert time: 2010-01-28 15:25:05 GMT User: SYSTEM Computer: XXXXXXXXXX IP Address: 0.0.0.0 Domain: system Server: XXXXXXXXXX Client Group: My Company\XXXX Action taken on risk: Quarantined
We found this thread on Symantec’s forum;
And this on Internet Storm Center;
To eliminate this issue you need to update your virus definitions to 1/28/2010 rev. 20 and above and it will take care of the False Postive detection.
Unfortunately today I started seeing Spotify.exe get captured on our UK machines. Spotify is a music service in the UK. The file name and location, and that 3 machines sent an alert all at once make me think that this might be another false positive so now we need to open a ticket with Symantec and work with our UK folks to find out. For anyone running SEP I strongly encourage you to enable Single Risk Event emails and read them. That’s how I caught the Flash issue and now the Spotify possible issue.
Advertisements
Leave a Reply