Endpoint Protection

  • Private Community
 View Only
Back to discussions
Expand all | Collapse all

Explorer.exe detected as P2P application

  • 1.  Explorer.exe detected as P2P application

    Posted Feb 09, 2016 05:43 AM

    Hello,

    I have been getting this Event Description: [SID: 20566] Audit: P2P BitTorrent Traffic attack blocked. Traffic has been blocked for this application: C:\WINDOWS\EXPLORER.EXE

    I have check there is not torrent related application or add-in is install in the windows 7 computer.

    Could you please suggest me some solution why it keeps triggering in the Outbound logs with this Event.

    Thanks!

    Ayush



  • 2.  RE: Explorer.exe detected as P2P application

    Posted Feb 09, 2016 05:52 AM

    how many events are logged ? is it a incomming or outgoing traffic ? does this machine have any p2p client installed ?



  • 3.  RE: Explorer.exe detected as P2P application

    Posted Feb 09, 2016 05:58 AM

    Hi Praveen,

    There are 3 events generated. It is an Outgoing Traffic. And this machine does not have any P2P Client installed and it has never had been installed on it.

     



  • 4.  RE: Explorer.exe detected as P2P application

    Posted Feb 09, 2016 06:07 AM

    what is the local IP & Port No. and what is the Remote IP & Port No. ?



  • 5.  RE: Explorer.exe detected as P2P application

    Posted Feb 09, 2016 06:11 AM

    Local IP: 10.235.52.216
    Port No: 25706

    Remoter IP: 82.221.103.244    Port No: 6881

     



  • 6.  RE: Explorer.exe detected as P2P application

    Posted Feb 09, 2016 06:19 AM

    Google tells me that the remote IP address is malicious, maybe someone one the internet scanned your machine for something over the port 6881 to ex filtrate information. to be sure that the machine is threat free, try to run a threat analysis scan with symhelp toll. 

     

    Also try to block that malicious IP at the external firewall level.



  • 7.  RE: Explorer.exe detected as P2P application

    Posted Feb 09, 2016 07:43 AM

    That's because malware injected itself into explorer.exe. You're best bet is to run a third party scanner if nothing from Symantec is removing it.



  • 8.  RE: Explorer.exe detected as P2P application

    Posted Mar 14, 2016 10:10 AM

    Hello,

    Thanks Brian and Praveen for your help!

    I did run Threat Analysis Tool on this client, but did not find anything in the logs and it still triggers in the Outbound logs with this event.

     And this malicious IP is already blocked at firewall level



  • 9.  RE: Explorer.exe detected as P2P application

    Posted Mar 14, 2016 10:11 AM

    Do they have a P2P client on the machine?



  • 10.  RE: Explorer.exe detected as P2P application

    Trusted Advisor
    Posted Mar 14, 2016 10:27 AM

    We had a client expierencing similar issue as yours with the explorer.exe file - it happened when the client clicking on an 'Fake AntiVirus' scan result with the fake warning pop-up advert. When clicked on, the malware would download & install on your PC, injecting itself into Explorer.exe which runs an background P2P - which could be used for many purpose by 3rd party attacker. (i.e. C&C for DoS attacks)

    Because we don't know what else are infected, we ended up with a fresh install of Windows 7 to play it safe and to protect their data.



  • 11.  RE: Explorer.exe detected as P2P application

    Posted Mar 14, 2016 10:33 AM

    No, nothing on the client. No P2P application or plugin found



  • 12.  RE: Explorer.exe detected as P2P application

    Posted Mar 14, 2016 10:36 AM

    Something malicious injected itself in a critical Windows file. At this point, I wouldn't even mess around with it. It's quicker to nuke and start fresh.