Hi all,
I do admin for a lot of SEP 14 and SEPC environments. A common problem I see more times than not is an Auto-Protect or scheduled scan detection of an infected file that is already on the system, but just appears to be a file and not a running process. This is a non-brainer genrally if you find it in Downloads or found as an email attachment, but what I struggle with att imes is when you find it in the appdata/local/ path.
Appdata is a bit of a mystery sometimes. I know that apps will store things there, so for example if a web browser adds a component, it will have pieces there. But take this recent detection as an example, the detection info is (with some items removed):
- Source: Auto-Protect
- Threat Name: W97M.Downloader
- Source Version: 1.8.0.244
- Threat Type: Malware
- File Name: 6d7c9b52.doc
- Security Client: SEP Cloud
- File Location:c:\users\username\appdata\local\packages\oice_16_974fa576_32c1d314_3564\ac\temp\
- Security Client Version: 22.16.2.22
- Status: Blocked
- Resource Type: File
- First Seen: 12/20/2018 02:37 am
- Resource Name: W97M.Downloader
- Persistence: Fixed
- Rule Name: Not Available
- Security Definition Version: 2018.12.19.022
- Rule Description: Not Available
- File MD5 Checksum: D8F5EA3EF5EA1D88ECFE60F6E1F6FE47
- File SHA2 Checksum:D9442F97B93E30EDA70D26F1E8664BD6AB12360D9DAAEC64EB975356CB4F3371
So do I interpret this to mean that people with naughty intent have breached the computer, or is this normal to have malware detected in a place on the file system that the user clearly doesn't manually save a file to? I guess it comes down to understanding how Microsoft Windows utilizes the appdata folder - I admit I haven't researched this much. If I saw this malware in say, System32, I'd be very concerned. But appdata? Also any advice on how to cross-reference uniqueness ID's in this output with say, registry keys or something is appreicated. Like a "package named "oice.....". Needless to say Google found nothing on that full name.
Thanks all.