I am getting multiple alerts that regsvr32.exe (CL.Downloader!gen62) has been detected and process-terminated is the actual action taken by SEP.
Hello dprax,
CL.Downloader!gen62 is a heuristic detection used to detect threats associated with the MSH.Downloader family.
Files that are detected as CL.Downloader!gen62 are considered malicious. If you have reason to believe that your files are incorrectly detected by Symantec products, you can submit them to Symantec Security Response for further analysis.
Identifying and submitting suspect files Submitting suspicious files to Symantec allows us to ensure that our protection capabilities keep up with the ever-changing threat landscape. Submitted files are analyzed by Symantec Security Response and, where necessary, updated definitions are immediately distributed through LiveUpdate™ to all Symantec end points. This ensures that other computers nearby are protected from attack. The following resources may help in identifying suspicious files for submission to Symantec.
Removal Tool
Hello Mithun,
Thanks for reply, but the thing is i have done the threat anlysys(symdiag) but haven't found anything plus the file which is being detected by symantec is regsvr32.exe.
I have submitted the file to the virus total for checking but it shows not malicious.
You should update to Symantec for false positive submission here https://submit.symantec.com/false_positive/.
By the meantime exclude the file from detection considering it's falsely detected.
Hi Dprax,
There's very likely something malicious on the computer which aims to abuse the legitimate regsvr32.exe to carry out its actions.
https://www.symantec.com/connect/blogs/attackers-are-increasingly-living-land
SEP is blocking that malicious activity.
This may be helpful:
What You Can Do About Powershell Threats https://www.symantec.com/connect/articles/what-you-can-do-about-powershell-threats
Please do keep this thread up-to-date with your progress!
I have submitted the file to symantec but they are saying they were unable to reproduce the issue.
Judging from past experience, there's absolutely nothing wrong with that legitimate MS executable. There's a threat on the machine which is abusing those legitimate processes.
If examining your PowerShell logs did not reveal the cause, I recommend running a SymDiag with threat analysis and then get in touch with Tech Support for assistance. They can examine the log and likely find the root of the problem.
Using Today's SymDiag to Combat Today's Threats https://www.symantec.com/connect/articles/using-todays-symhelp-combat-todays-threats
Thanx Mick2009 for reply.
I have already done the symdiag analysis but unfortunately nothing has been found suspicios.
Also from the case i just got informed they cannot do as i have to monitor the system for any suspicios process or threat.
I have examined the diagnostics and passed on some feedback to the case owner. That infromation should be communciated to you soon.
If the legitimate PowerShell is being abused, having good logging in place is crucial to see what commands are being run. Please install the latest WMI and Powershell onto those computers! Details and illustrations are in