Endpoint Protection

Has anyone seen detections for W32.SillyFDC with defintion set 8/31/2016 rev. 1 today?  The detected file names are long alphanumeric names with no file extentions and the paths are either C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ or c:\users\*\appdata\locallow\sun\java\deployment\cache\6.0\46\

A comment has been posted on virustotal.com that this is a false positive, but I havent seen anything from Symantec about this.  I know W32.SillyFDC is very old.

Yep, have a couple here.

Same here. About 15 machines. Same def revision. Everything that I have seen has been detected in just the CryptnetUrlCache folder.  

Any idea how important these files are? Since they are being deleted by Symantec I cannot restore them or submit as a false positive.

Looks to be the directory for the Automatic Root Certificates Update. I would imagine these shouldn't be deleted :\

The Automatic Root Certificates Update component downloads a cabinet (.cab) file to the temporary directory on the local computer, extracts the contents of the file, and then updates the root certificate list.

Probably not critical but certainly not a good thing here.

This "hopefully" FP is affecting us as well...so far none of the recent rapid release defs have improved the situation.

I've attempted to test unchecking Auto-Protect notifications to lessen the load at the HelpDesk, but thus far machines affected still get a popup. :-(

I just receive this same alert on one of our Windows 8.1 systems.  I'm sure this is a false positive as this computer is only accessible by an administrator (myself + 1 other) and we have not installed/loaded/browsed the web/done anything to this system in months.  It had a clean windows 8 install and runs 1 specific database application, and that's it.  The changes of it receiving this particular infection while none of the other systems here have it are extremely small.

Detected W32.SillyFDC this evening on my work laptop Windows 7 machine.

Located in C:\users\xxxx\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\

Filename: 62B5AF9BE9ADC1085C3C56EC07A82BF6

We have same issue with 58 machines, they are comming across with two different hashes:

658E8DC2BA2D72555294BA9FB12830EB0CB5E5BD6287F31529C7A5BF335E0A7E

F68FE4A8B6B08F7342526F32362F03D7435DFFB8A7A0F5C7128BAD6D45A57EB7

Hello all,

Confirmed: there was a False Positive concerning this signature for a time yesterday.  The FP has been resolved in Rapid Release sequence 180271 (8/31/2016 rev.16).  Running LiveUpdate or applying a later set of RR defs will correct the matter.

Just a reminder of the Best Practice and how to submit suspected False Positives, should you encounter any in the future....

Best Practice when Symantec Endpoint Protection is Detecting a File that is Believed to be Safe
http://www.symantec.com/docs/TECH98360

Symantec Insider Tip: Successful Submissions!
https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions

 

With thanks and best regards,

Mick

Do client machines need to be rebooted after receiving the latest definitions? I have defs dated 09/01/2016 Rev1 and I'm still seeing this detection?

If a machine detected, and quarantined, the W32.SillyFDC false positive, would it then remove the file from quarantine after the new (corrected) definitions arrived.

Trying to understand the client logic better...

Thanks,

-Mike

P.S. I submitted our sample yesterday am.

Hi Mike,

No reboot should be necessary.

This may help:

Restoring a false positive file detection from the Symantec Endpoint Protection quarantine
http://www.symantec.com/docs/TECH150607

In our case, these detections were "Cleaned by deletion".  What was the file that was deleted (I suspect it is a certificate?) and how do we restore it, or what are the implications of this file being removed?

Would this also have any impact on IE brower homepage. Several Win 7 IE 11 workstation home pages were redirected to the " Internet Broswer Portection" page specified in our SEP policy.