Risk log – Field computer returning empty

I need a solution

Hello everyone,

Recently I made the migration of the entire environment version 12.1 ru7 to version 14 mp1 without problem.

Daily I export the log comprehensive risk report from the last 24 hours to treat infections from the table Risk distribuition by Computer.
After exporting the query in the field Monitors / Risk / via hostname (or computer or ip address), but the search result is empty.

Searching without the fields (computer or ip address) filled in, it is possible to view the data of the infection.

Anyone have this same problem?



TwoBee virus

I do not need a solution (just sharing information)


I found an article about a new threat. Link below.
The article describes the new virus TwoBee. Also called Trojan-Banker.Win32.TwoBee.gen. The virus substituting the requisites in payment orders in the programs of interaction with banks (Bank-Client or “Банк-Клиент”).
Does Symantec protect endpoint security from the TwoBee virus?



Definition 12.1

I need a solution

Hi Team, Please suggest me why we have virus definition in two location.

C:ProgramDataSymantecSymantec Endpoint Protection12.1.7004.6500.105DataDefinitionsVirusDefs

C:ProgramDataSymantecSymantec Endpoint ProtectionCurrentVersionDataDefinitionsVirusDefs



Ntuser.dat.log1 virus

I need a solution

Hello – I have a virus notification that says there is a Heur.AdvMLB virus located at:  C:Usersmnguyen4antuser.dat.LOG1.

But when i go to that location the file is not there (i have hidden files marked to show)  I did a search on the file and found that there are 2 files with the same name but located at different locations than indicated on the report.  See screenshot A & B of attachment. Cannot delete them cause they say the files are in use.

I tried to do a scan on the PC and got an error in the command status window.  the PC has a greendot in the SEPM but the Health state says Online/Alert.

Any idea on how to fix?  Should I just reimage the PC?





IP Removal more then a month

I need a solution


a month ago I added our ip for investigate. But it’s still under investigating.

Our web site works perfectly, no virus or spam now. (Last year we was hacked),

We create all new web site and changed hosting. Now we are clean. no where we are on spam lists

please remove us from blacklist, and give us our reputation back pls

IP Adress :

sometimes we got this error mail



    host smtp.regnumhotels.com []

    SMTP error from remote mail server after initial connection:

    554 5.7.1 You are not allowed to connect.


thank you for your help



SPSS Statistics Subscription doesn’t open

Hello. I’ve downloaded SPSS Statistics Subscription for Windows 64 -bit successfully (it started to count days in my trial period) but when i want to open it, it just doesn’t work-it shows message to register, i enter my id and then the white registration window pop-ups with no error messages and nothing inside and that’s it i can’t proceed to actually open the SPSS work window. I’ve turned off antivirus (Avira) and it didn’t help and also checked bit (as smb adviced). What can i do?



EMC logo

A new variant of this tool, previously reported in 2013 by TrendLabs, was submitted to VirusTotal from the Philippines on March 27th, 2017. Its original filename, 2017.exe, was prescient since it has the ability to exploit CVE-2017-5638 and other previous Apache STRUTS vulnerabilities.

File Details
File Name: 2017.exe

File Size: 107008 bytes

MD5:         3b405c30a7028e05742d0fbf0961e6b2

SHA1:         1d69338543544b31444d0173c08e706d57f148cb

PE Time:   0x58D24651 [Wed Mar 22 09:39:29 2017 UTC]

PEID Sig:   Microsoft Visual C# / Basic .NET

PEID Sig:   Microsoft Visual Studio .NET

PEID Sig:   .NET executable .NET executable compressor

Sections (3):

Name     Entropy     MD5

.text         5.29          85cb592ad6f0d2a47a2d873db6c587af
.rsrc         4.08         3b438fb713ec89f2430e8100a3a25e04
.reloc       0.1            efd52c048dfc4249799144c25a9a6239

Table 1 Tool Details

The application decompiles cleanly with a tool like ILSpy and contains no real surprises. When the C# app is executed it runs a GUI, presenting the user with a static header (vulnerability selection and execution portion) and footer (log output box). The middle section comprises four tabs, shown in Figure 1 below.


Figure 1 Tool Overview

The first tab provides an overview of the vulnerabilities it is configured to exploit, along with handy links to documentation for each one. To use the application, you enter the URL you’d like to target and then select the exploit in a dropdown box. Then you select an HTTP Method and hit the button underneath it. If successful, the information from the targeted application will show up in the log and replace the contents of this first window.


Figure 2 Query Vulnerable Server

The second tab includes a dropdown menu of canned commands to run on the target machine, Windows and Linux shell commands are supported. Alternatively, you may select to run a batched cmd.txt from the same local directory to run on the remote target.


Figure 3 Preconfigured Queries


Figure 4 Executed Command Output

This behavior is detectable via RSA NetWitness® Endpoint and Packets. The HTML.lua parser for Packets contains code that enables finding this behavior in either the GET or POST HTTP Methods.


Figure 5 IOC Metadata

When seeing this alert, you can pivot into RSA NetWitness Endpoint, searching in Tracking Data to determine if the Apache Tomcat process executed the requested command. If so, the server is vulnerable and should be handled according to your Incident Response plan as the actors likely ran additional commands. This can be verified by hitting ctl-f and searching within NetWitness Endpoint for ‘Tomcat’ to filter on those events. The Event “Create Process” is where you’ll find the attackers command history.


Figure 6 RSA NetWitness Endpoint Event

You may also follow-up in Packets. The HTTP response will not be HTML, rather it will be raw output from the command that was run.


Figure 7 NetWitness Packets Command Execution

The third tab (Figure 8) is a webshell installer function. By default it is configured to install the JSP version of China Chopper with the default password ‘chopper’. This can be controlled with a customized version of caidao.exe or cknife. Alternatively, you can paste in your own JSP code and choose the webshell of your liking. This simple webshell is a perfect fit as the application errors on larger, fuller function webshells. Figure 9 displays the remote command execution and output. This is more of a half shell and won’t allow interactive applications such as powershell or mimikatz to properly execute.


Figure 8 Webshell Installation


Figure 9 Simple Webshell Output

The final tab (Figure 10) allows you to add a list of URL’s manually, or via a text file, in order to perform bulk scans. Anyone searching for vulnerable applications can use google dorking to find and scrape vulnerable URL’s and then bulk scan using this tool.


Figure 10 Bulk Scanning Utility

This simple tool, an evolution of a previously released tool, keeps pace with recently released vulnerabilities. When only using signature-based tools to detect and defend your network, you can easily fall prey to zero-day exploits, such as CVE-2017-5638. With comprehensive network and endpoint forensics tools that deliver data in near-real time, such as the RSA NetWitness Suite, defenders can proactively search for this behavior and find new techniques. RSA recommends proactive security; hunting versus fishing.

The post GET TO THE CHOPPAH appeared first on Speaking of Security – The RSA Blog.

Update your feed preferences





submit to reddit


Why Malware Installers Use TMP files and The Temp folder when infecting Windows

EMC logo

Ever wonder why there are too many TMP files detected on an infected system? Even if they have different names, the file are exact copies of one another, why?

The first thing a malware installer (first stage of infection) does when executed on a target system – be it a dropper or downloader – is to install a copy of the malware and its components into their corresponding location in the system. Some popular locations include:

  • C:Windows
  • C:Program Files
  • C:Users<Current_User>AppDataRoamingMicrosoft

However, there are instances wherein the installation of the malware becomes corrupted or incomplete due to the target system’s current state at the time of infection. The target system may have a slow connection, causing a malware downloader to incompletely download the malware and its components. In the case of a malware dropper, a busy system may corrupt the files, causing the malware to function improperly. Another instance that may cause corruption is when the target system is shut down, or rebooted by the user before the malware has installed completely. Most users, when they believe their system has a malware infection, react by shutting down. “Unplug it, now!!!”, if it’s a server or desktop, or “Remove the battery, now!!!”, if it’s a laptop and you have the capability to remove the battery (most modern laptops no longer allow battery removal). The idea is that the immediate shut down the system in the middle of an infection process will thwart the attack.

Attackers are smart. They know this and have made it one of their use cases when creating new malware installer technologies that avoid any kind of corruption during installation. Their solution? Utilize TMP files and the Microsoft Windows Temp folder.

Utilizing TMP Files
The attacker’s main goal is to either fully install uncorrupted malware and its components or do not install at all.

This is done with atomic writes. In the context of programming, atomic writes (or atomic) denotes something that cannot be split apart (of course, in physics, atoms can be split).

To better understand this, an example is in order. Below is a simple code that writes something to a file.


This write operation is not atomic, because it is possible the file being created, Malware.EXE, can be located in more than one sector of the disk and these sectors are part of different NT File System (NTFS) clusters. Think disk fragmentation. Corruption occurs when one sector is written with the intended data while the other sector, or sectors, were not, possibly because of an interruption or machine shutdown. When the machine reboots, the failed write operation will not be recovered. This is true with most file systems especially NTFS and Windows 95 File Allocation Table (FAT), regardless of the operating systems.

The solution is to apply an atomic write operation. Remember, the malware author’s goal is to install or write the malware in the intended location completely with no corruption, or no installation at all. In a file, metadata changes such as rename are atomic. So, instead of doing the file write on the intended location, the write is performed to a temporary file. After the write is done and verified as complete on disk the old file (temp file) is interchanged with the new file (the installed malware in the intended location).

To better understand this, let’s look at the sequence below based on Microsoft’s MSDN blog, (but rewritten to fit our malware example.

Write Process (on Malware.EXE)


Take note that in these steps, the location of each file was not added. It should be clear that the TMP and Alternate file are in the Temp folder with the new Malware.EXE ultimately in the intended location.

The steps above are the malware writer’s first attempt to solve corruption during installation. This is not perfect as corruption can still happen during process crash, machine shutdown, or reboot. This results in a bunch of malware TMP files in the Temp folder and corrupted malware installed. In a perfect scenario, the malware is installed and all the TMP files are deleted, together with the malware installer.

To solve for this, recovery-from-crash precautions may be added. Again, the sequence below is from Microsoft’s MSDN blog, rewritten to fit our malware example.

If the malware installer has the capability to run by making itself persistent, even after a failed installation, it can do the following steps as a recovery-from-crash precaution.

Recovery from a crash during write (on Malware.EXE)


Even with crash recovery capability, the above steps are still not perfect, especially if an endpoint solution happens to be running a scheduled scan on the system during write operation. Endpoint solutions can access and open the files being used, even for a short period of time, causing failure in step 7 of the Write operation or steps 1 and 3 of the recovery operation – even if the malware is new or undetected. These operations fail because the endpoint solution has an open handle to the file. Much like the times you want to eject an external drive, but cannot because a program is using a file located on that drive.

The fix for this is to use unique temporary file names.

Write Process (on Malware.EXE)


Recovery from a crash during write (on Malware.EXE)


These are the steps most malware installers use when installing malware. The result is fully installed malware with no corruption.

As with all software, there are always things that can go wrong, and you will know it because the target system ends up with a bunch of randomly named malicious TMP files that are exact copies of each other. Remember, most malware installers delete itself and these TMP files after successful installation.

The use of TMP files for atomicity is an advantage attackers currently enjoy. They could have done this operation in any folder of the system, but they choose to use the standard Windows Temp folder. Let’s explore why.

Utilizing the Windows Temp Folder
There are several advantages to using the Temp folder. In some systems, the Temp folder is located on a RAMDISK. This makes write operations and file manipulations significantly faster compared to the usual disk file system.

Another advantage is that Temp folders have Read-Write access for the current logged-in user, solving any file system permission errors when the malware installer attempts to install the malware in a target location without proper permission. The Temp folder is typically used as a staging point once the malware installer or the malware itself has escalated privileges.

The OS also offers an advantage of cleaning up incomplete writes of temporary files in the Temp folder so, in the case of malware installation failure, the OS takes care of removing any traces of the files, preventing any part of the malware or a corrupted version of its main executable from being collected by analysts and researchers.

There you have it, the reason malware installers utilize TMP files and the Windows Temp folder during malware infection.

The post Why Malware Installers Use TMP files and The Temp folder when infecting Windows appeared first on Speaking of Security – The RSA Blog.

Update your feed preferences





submit to reddit