Endpoint Protection

Hi,

Asking for input whether the SEP 12 does include the definition to quarantine HP keylogger related file/malware?

http://thehackernews.com/2017/05/hp-audio-driver-laptop-keylogger.html

Was trying to contact with Symantec local support, which were finger pointing ask me to ensure the Windows update is up to date. I'm not convinced where i don't agree Symantec is relying for Microsoft to quarantine malware.

Don't think so. We were affected by this and SEP didn't take action. SEP probably doesn't see it as malicious since it's HP and digitally signed. It's really on you to apply the patch to close the vulnerabilyty off.

Hi kwyap,

Thanks for the post. We are aware of the reports and the matter is under investigation. 

If the recent Wannacry crisis has one lesson, it is "ensure your patch levels are always up to date!"  That is a crucial security must-do for any computer owner, whatever products they use. 

I will update this thread again in due course.

Well said, Mick!!

WannaCry has been taught us one less, "Prevention is always better than cure" 

I would suggest you upgrade the SEP 12.1 to SEP 14 as it has better features.

https://www.symantec.com/content/dam/symantec/docs/other-resources/endpoint-protection-14-vs-12-comparison-chart-en.pdf

Secondly, ensure you have full feature set installed on your machines.

Regards,

Thanks Mithun!

I do agree that SEP 14 has security improvements over SEP 12.1.  It's a good move. &: )

Hi Symantec

May I know, when the keylogger or any malware been digitally signed by the manufacturer, then you will ignore or assume it is not a threat to your customer?

Hi kwyap,

Thanks fo rthe post.  The matter is still under investigation.   I will update this thread when it is complete.

HI Mick2009,

Would like to hear is there any update from the investigation?

Hi there,

No findings to announce at this time. I am still monitoring the investigation.

Hi kwyap and other followers of this thread,

Many thanks for your patience.  After careful study, Symantec has added a Security Risk detection against the affected files.  This detection was introduced in Rapid Release sequence 186893 (version 08/16/2017 revision 3).  More details may be found in:

HP/Conexant Audio Driver and detection (SecurityRisk.Mtray)
http://www.symantec.com/docs/TECH247287

After careful study, Symantec has added a Security Risk detection against the affected files.  This detection was introduced in Rapid Release sequence 186893 (version 08/16/2017 revision 3)

And today Symantec has started detected the recomended patched version as the malware version....

We are also having this issue. We updated to the newest version to fix the vulnerability and starting last night, we started getting hundreds of detections of this new version as a virus........

Thanks, SU.  We're looking into it now.  I will update this thread shortly.

If you are 100% confident that the file in question is safe, create a hash-based exception/exclusion for it in your environment:

Exceptions, Illustrated: Part One

https://www.symantec.com/connect/articles/exceptions-illustrated-part-one

Exceptions, Illustrated: Part Two

https://www.symantec.com/connect/articles/exceptions-illustrated-part-two

A False Positive for the following up-to-date HP audio file has been confirmed.  Detection on it will be removed in a forthcoming sequence of Rapid Release definitions.

“MicTray64.exe”
MD5 156e3fd77114639445d2a95f1971483a
SHA256 c90c9310c8b2cf0cbd0211a4ee369326c0d627b05a88e7f7b4baba09f85425ea

Please create an "Allow Application" exception until RR defs correcting the FP are available.

Please add me to the list of companies affected by this detection.  We have 39 detections this morning that weren't there yesterday.

The company where I work is also affected by this detection, about 300 affected computers.

We sent samples to Symantec and we were waiting for an answer.

Detection is removed in Rapid Release Sequence 187381 (version 09/14/2017 revision 6), which are now available via FTP.  ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/rapidrelease/sequence/187381/

Please keep hash-based Exceptions in place in order to prevent WS.Reputation.1 detections on that file, in case SEP endpoints have an old BAD values for that file in their IRON database. 

How to update definitions for Symantec Endpoint Protection Manager (SEPM) using a .jdb file
http://www.symantec.com/docs/TECH102607
 

Do we have confirmation that this has been resolved in a RR or standard definition set yet?   Detections seem to have subsided in my environment,  after we had several hundred machines impacted throughout the early morning hours.

Certified definitions available now also correct this issue. Look for any release "9/14/2017 rev. 9" or higher.

I had the Mtray risk detected on over 150 machines within the last 24 hours.  I experienced the false-positive for this detection last week as well.  The 150 from last night have a different hash value than the one reported last week/above:

"“MicTray64.exe”
MD5 156e3fd77114639445d2a95f1971483a
SHA256 c90c9310c8b2cf0cbd0211a4ee369326c0d627b05a88e7f7b4baba09f85425ea"

Here's the Risk Information from one of my machines that detected it last night.  This machine had the latest definitions at the time of detection.  Trying to find out if this is a False/Positive as well.

Risk Information

Hi All,

My Company is also affected by this detection, the affected computers are about 120.

Any news from Symantec? I will proceed to open a new case.

Thanks.

Kind Regards,

Cristiano

Hi Kenny,

That is not a False Positive.  The hash in question dates back to before the fix was put in place by the vendor.

Hi Cristiano,

Do check the hash of the file which is being detected. If it is from a recent version of the tool, please do raise a case.  If the hash is one of the older, vulnerable/keylogging versions, then the detection is expected and legitimate.

Read this article so you will be understadnd how to bind file and how its work Check Exe File is Bindded or not