(Posted this once but don't know why the post never appear. I re-post again now (this post). If eventually repeated, sorry for any confusion)
We are using Symantec Endpoint Protection (SEP) 14.3 on a Windows server.
The risk file found is C:\Windows\Temp\XXXXX\XXXXX.dll
The string XXXXX seems randomly generated and googling it return 0 search result. I masked it because I am not sure if it's safe to post here, not sure if it is in fact a meaningful string to the attacker (if it was an attack).
Symantec alert does not contain much information, only said the risk is a "Downloader", showed the file path and name (as above), a SHA-256 hash value, and said it's already "cleaned". That's all. With such little information, I cannot find any more information on the Internet.
Checked Windows event log, found that the dll file was used by a powershell script we wrote when it calls a powershell-built-in network function.
I don't get it. If SEP identified some digital fingerprint in the file (e.g. the hash value?) that belongs to a virus, why there is no virus name?
Or, judging by the risk name "Downloader", is it that SEP simply thinks it's abnormal for a dll file with such name at such folder location to contain function to download things, hence considers it as a risk?
Any advise?