Endpoint Protection

Expand all | Collapse all

HP Keylogger issue

  • 1.  HP Keylogger issue

    Posted 05-26-2017 05:21 AM

    Hi,

     

    Asking for input whether the SEP 12 does include the definition to quarantine HP keylogger related file/malware?

     

    http://thehackernews.com/2017/05/hp-audio-driver-laptop-keylogger.html

     

    Was trying to contact with Symantec local support, which were finger pointing ask me to ensure the Windows update is up to date. I'm not convinced where i don't agree Symantec is relying for Microsoft to quarantine malware.

     

     



  • 2.  RE: HP Keylogger issue

    Posted 05-26-2017 02:21 PM

    Don't think so. We were affected by this and SEP didn't take action. SEP probably doesn't see it as malicious since it's HP and digitally signed. It's really on you to apply the patch to close the vulnerabilyty off.



  • 3.  RE: HP Keylogger issue

    Posted 05-29-2017 04:52 AM

    Hi kwyap,

    Thanks for the post. We are aware of the reports and the matter is under investigation. 

    If the recent Wannacry crisis has one lesson, it is "ensure your patch levels are always up to date!"  That is a crucial security must-do for any computer owner, whatever products they use. 

    I will update this thread again in due course.



  • 4.  RE: HP Keylogger issue

    Posted 05-29-2017 11:56 AM

    Well said, Mick!!

    WannaCry has been taught us one less, "Prevention is always better than cure" 

     

    I would suggest you upgrade the SEP 12.1 to SEP 14 as it has better features.

    https://www.symantec.com/content/dam/symantec/docs/other-resources/endpoint-protection-14-vs-12-comparison-chart-en.pdf

    Secondly, ensure you have full feature set installed on your machines.

    Regards,

     

     

     



  • 5.  RE: HP Keylogger issue

    Posted 05-30-2017 05:36 AM

    Thanks Mithun!

    I do agree that SEP 14 has security improvements over SEP 12.1.  It's a good move. &: )



  • 6.  RE: HP Keylogger issue

    Posted 06-07-2017 05:02 AM

    Hi Symantec

    May I know, when the keylogger or any malware been digitally signed by the manufacturer, then you will ignore or assume it is not a threat to your customer?



  • 7.  RE: HP Keylogger issue

    Posted 06-07-2017 07:00 AM

    Hi kwyap,

    Thanks fo rthe post.  The matter is still under investigation.   I will update this thread when it is complete.



  • 8.  RE: HP Keylogger issue

    Posted 06-14-2017 09:48 PM

    HI Mick2009,

     

    Would like to hear is there any update from the investigation?



  • 9.  RE: HP Keylogger issue

    Posted 06-16-2017 11:54 AM

    Hi there,

    No findings to announce at this time. I am still monitoring the investigation.



  • 10.  RE: HP Keylogger issue

    Posted 08-16-2017 06:59 AM

    Hi kwyap and other followers of this thread,

    Many thanks for your patience.  After careful study, Symantec has added a Security Risk detection against the affected files.  This detection was introduced in Rapid Release sequence 186893 (version 08/16/2017 revision 3).  More details may be found in:

    HP/Conexant Audio Driver and detection (SecurityRisk.Mtray)
    http://www.symantec.com/docs/TECH247287
     
    Note that the detection is only for the versions of files which can be used as a keylogger.  Anyone who has applied the later drivers/updated to apply the patch will not experience a detection.


  • 11.  RE: HP Keylogger issue

    Posted 09-14-2017 05:57 AM

    After careful study, Symantec has added a Security Risk detection against the affected files.  This detection was introduced in Rapid Release sequence 186893 (version 08/16/2017 revision 3)

     

    And today Symantec has started detected the recomended patched version as the malware version....



  • 12.  RE: HP Keylogger issue

    Posted 09-14-2017 07:01 AM

    We are also having this issue. We updated to the newest version to fix the vulnerability and starting last night, we started getting hundreds of detections of this new version as a virus........



  • 13.  RE: HP Keylogger issue

    Posted 09-14-2017 07:01 AM

    Thanks, SU.  We're looking into it now.  I will update this thread shortly.

    If you are 100% confident that the file in question is safe, create a hash-based exception/exclusion for it in your environment:

     

    Exceptions, Illustrated: Part One

    https://www.symantec.com/connect/articles/exceptions-illustrated-part-one

     

    Exceptions, Illustrated: Part Two

    https://www.symantec.com/connect/articles/exceptions-illustrated-part-two



  • 14.  RE: HP Keylogger issue

    Posted 09-14-2017 08:19 AM

    A False Positive for the following up-to-date HP audio file has been confirmed.  Detection on it will be removed in a forthcoming sequence of Rapid Release definitions.

    “MicTray64.exe”
    MD5 156e3fd77114639445d2a95f1971483a
    SHA256 c90c9310c8b2cf0cbd0211a4ee369326c0d627b05a88e7f7b4baba09f85425ea

    Please create an "Allow Application" exception until RR defs correcting the FP are available.



  • 15.  RE: HP Keylogger issue

    Posted 09-14-2017 08:28 AM

    Please add me to the list of companies affected by this detection.  We have 39 detections this morning that weren't there yesterday.



  • 16.  RE: HP Keylogger issue

    Posted 09-14-2017 09:53 AM

    The company where I work is also affected by this detection, about 300 affected computers.

    We sent samples to Symantec and we were waiting for an answer.

    Source Risk Name File Path Actual Action
    Auto-Protect SecurityRisk.Mtray C:\Program Files\CONEXANT\Install\Audio\MicTray\MicTray\MicTray64.exe Quarantined


  • 17.  RE: HP Keylogger issue

    Posted 09-14-2017 11:52 AM

    Detection is removed in Rapid Release Sequence 187381 (version 09/14/2017 revision 6), which are now available via FTP.  ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/rapidrelease/sequence/187381/

    Please keep hash-based Exceptions in place in order to prevent WS.Reputation.1 detections on that file, in case SEP endpoints have an old BAD values for that file in their IRON database. 

    How to update definitions for Symantec Endpoint Protection Manager (SEPM) using a .jdb file
    http://www.symantec.com/docs/TECH102607
     

     



  • 18.  RE: HP Keylogger issue

    Posted 09-14-2017 12:11 PM

    Do we have confirmation that this has been resolved in a RR or standard definition set yet?   Detections seem to have subsided in my environment,  after we had several hundred machines impacted throughout the early morning hours.



  • 19.  RE: HP Keylogger issue

    Posted 09-15-2017 04:43 AM

    Certified definitions available now also correct this issue. Look for any release "9/14/2017 rev. 9" or higher.



  • 20.  RE: HP Keylogger issue

    Posted 09-19-2017 04:48 PM

    I had the Mtray risk detected on over 150 machines within the last 24 hours.  I experienced the false-positive for this detection last week as well.  The 150 from last night have a different hash value than the one reported last week/above:

    "“MicTray64.exe”
    MD5 156e3fd77114639445d2a95f1971483a
    SHA256 c90c9310c8b2cf0cbd0211a4ee369326c0d627b05a88e7f7b4baba09f85425ea"

     

    Here's the Risk Information from one of my machines that detected it last night.  This machine had the latest definitions at the time of detection.  Trying to find out if this is a False/Positive as well.

     

    Risk Information

    Risk name:
    Privacy impact:
    Performance impact:
    Overall rating:
    Download site:
    Downloaded or created by:
    File or path:
    Application:
    Version:
    File size:
    Category set:
    Category type:
    SHA-256 Hash:
    SHA-1 Hash:
    MD5 Hash:
    Company:


  • 21.  RE: HP Keylogger issue

    Posted 09-20-2017 04:04 AM
      |   view attached

    Hi All,

    My Company is also affected by this detection, the affected computers are about 120.

    Any news from Symantec? I will proceed to open a new case.

    Thanks.

    Kind Regards,

    Cristiano



  • 22.  RE: HP Keylogger issue

    Posted 09-20-2017 05:08 AM

    Hi Kenny,

    That is not a False Positive.  The hash in question dates back to before the fix was put in place by the vendor.



  • 23.  RE: HP Keylogger issue

    Posted 09-20-2017 05:10 AM

    Hi Cristiano,

    Do check the hash of the file which is being detected. If it is from a recent version of the tool, please do raise a case.  If the hash is one of the older, vulnerable/keylogging versions, then the detection is expected and legitimate.



  • 24.  RE: HP Keylogger issue

    Posted 09-23-2017 02:25 PM

    Read this article so you will be understadnd how to bind file and how its work Check Exe File is Bindded or not