SEP SupportTool False Positive Detection as a Virus

I need a solution

Hello I don’t know if this is the right place to post this but our Symantec Endpoint Protection just flagged SEP_SupportTool.exe as potiential malware and deleted the file. The SHA-256 HASH of the file is A87D1A8EFCD1B8628861E949ED9E8774928E72482CEC74483F70400A8C8E94CC 

I was wondering if anyone else was getting hit by these notifications and also can someone verify that this file is from Symantic?

0

Related:

Updating fingerprint file through REST API

I need a solution

Hello everyone,

I have been using the RESTful API for managing file fingerprint lists on my SEP Manager, for system lockdown blacklisting. This is done by means of a python script that accpepts MD5 hashes via CSV and updates the related fingerprint list on the manager using the ‘update an existing blacklist‘ API function. This API function appears to overwrite the particular fingerprint file entirely, with the set of file hashes provided. Wherein, ideally, I would want to ‘append’ the existing set of hashes with the new list within the same fingerprint file. I would like to know if this feature is available via API or if it will be made available in the future. This would greatly help automation scripts to easily add and remove hashes from a fingerprint file.

0

Related:

SEP 15 – file hash calculated incorrectly

I need a solution

Just started to test SEP 15, and installed it on my test machine using the default policy.

It identified a file, NTOSKRNL.EXE, with the following filehash:

5379732000000000000000000000000000000000000000000000000000000000

This hash is not correct, as using the powershell get-filehash command provides this instead:

C732B1DD3480285B6666641BC417A0C897884331229F47B055B79A9E42DF4282

Which is a known file on VT.  Any idea why Symantec’s hash calculation would be incorrect?  Or what I should do next?

0

1550755857

Related:

Avamar 7.5: PuTTY releases older than v0.63 fail to connect with “Server unexpectedly closed network connection” due to new MAC entries in the SSH server configuration file

Article Number: 504576 Article Version: 6 Article Type: Break Fix



Avamar Server,Avamar Server 7.5.0-183

In cryptography, a message authentication code (MAC), sometimes known as a tag, is a short piece of information used to authenticate a message—in other words, to confirm that the message came from the stated sender (its authenticity) and has not been changed. The MAC value protects both a message’s data integrity as well as its authenticity, by allowing verifiers (who also possess the secret key) to detect any changes to the message content.

The sshd_config for Avamar 7.5.x or greater version supports the following MACs:

grep MAC /etc/ssh/sshd_config

MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-256,umac-128-etm@openssh.com,umac-128@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-ripemd160PermitEmptyPasswords no
After a fresh install when attempting to login to the Avamar grid using the 3rd party application PuTTY, following error is seen:
ssh-error

/var/log/messages can show the following error when logged via a console such as lights out port (RMC for Gen4t, RMM for Gen4s, vSphere Console for AVEs etc):

Oct 30 12:27:19 testavamar sshd[6087]: fatal: no matching mac found: client hmac-sha1,hmac-sha1-96,hmac-md5 server hmac-sha2-512-etm@openssh.com,hmac-sha2-512,hmac-sha2-256-etm@openssh.com,hmac-sha2-256,umac-128-etm@openssh.com,umac-128@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-ripemd160

PuTTY releases less than version 0.63 doesn’t support these MACs

Recent install of a 7.5.x system

MAC entries were added to the sshd config file (/etc/ssh/sshd_config) on the Avamar Server

Download a PuTTY version that is greater than or equal to 0.63 and then ssh into the Avamar Server.

Note: As of September 28, 2017, the latest version of PuTTy is 0.70

Related:

  • No Related Posts

Create Rules Based on Custom Hash List

I need a solution

hi everyone,

I’ve been doing it all day and still can’t find a solution..

I’m working with SA 7.3.4.

configured custom hash list via this guide -> https://origin-symwisedownload.symantec.com/resour…

now after I send a test file that I have entered to this list I can see in the reputation that custom hash list VERDICT=10 

I have tried to create a rule (with syslog and mail alerts) that will catch all this “black” files..

hope you guys can help 🙂

0

Related:

Re: Delete large bucket

You can get the bucket-wipe tool here:

WARNING: This will erase the bucket and all of its data! Please make absolutely sure this is what you want.

http://130753149435015067.public.ecstestdrive.com/share/bucket-wipe-1.9.jar



usage: java -jar bucket-wipe.jar [options] <bucket-name>

-a,--access-key the S3 access key

-e,--endpoint the endpoint to connect to, including

protocol, host, and port

-h,--help displays this help text

-hier,--hierarchical Enumerate the bucket hierarchically. This

is recommended for ECS's

filesystem-enabled buckets.

--keep-bucket do not delete the bucket when done

-l,--key-list instead of listing bucket, delete objects

matched in source file key list

--no-smart-client disables the ECS smart-client. use this

option with an external load balancer

-p,--prefix deletes only objects under the specified

prefix

-s,--secret-key the secret key

--stacktrace displays full stack trace of errors

-t,--threads number of threads to use

--vhost enables DNS buckets and turns off load

balancer

Related:

Sonar Detection Reports

I need a solution

Hi,

I like to know how is the report form SONAR detection in the sepm console, this is because in Reports/Risk/SONAR Detection Results in the past mounth only show:

Indicator Number Percentage
Permitted Applications   0   0.0% 
Confirmed Risks   0   0.0% 
Detected Risks Not Confirmed   3   100%
Application Name Application Version Hash Type / Application Hash Computer Company Name
Sistema operativo Microsoft® Windows® 10.0.14409.1005 SHA-256
70ba57fb0bf2f34b86426d21559f5f6d05c1268193904de8e959d7b06ce964ce
099W6671-VMWIN7 Microsoft Corporation
Sistema operativo Microsoft® Windows® 6.1.7600.16385 SHA-256
6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
099W6671-VMWIN7 Microsoft Corporation
Sistema operativo Microsoft® Windows® 6.1.7601.17514 SHA-256
17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae
099W6671-VMWIN7 Microsoft Corporation

An in the Risk Distribution by Protection Technology to last mounth show :

SONAR Detection

117

  SONAR Detection   117 1.9
  SONAR.MSOffice!g26 95 1.5
  SONAR.Powershell!g25 12 0.2
  SONAR.PsEmpire!gen8 10 0.2
0

Related:

  • No Related Posts