SCSP Agent reports many "Watched File Modified"/"Watched File Deleted" alerts whereas these files are still present/untouched on the machine

book

Article ID: 156157

calendar_today

Updated On:

Products

Critical System Protection

Issue/Introduction

SCSP Agent reports many "Watched File Modified"/"Watched File Deleted" alerts whereas these files are still present/untouched on the machine.

These events always appear at the same time of the day, while Symantec Endpoint Protection (SEP) client is running Full system scan. Only files with read-only attribute seem to be impacted.

 

SISIDSEvents.csv shows rtvscan.exe (SEP) is causing these changes:

2012-03-05 16:56:17.000,MonitoredFile_Modification,Critical_File_Modified,C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe,R,c:\windows\system32\cdfhelper.dll,M
2012-03-05 16:56:37.000,MonitoredFile_Modification,Critical_File_Modified,C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe,R,c:\windows\system32\drivers\vmci.sys,M
2012-03-05 16:56:37.000,MonitoredFile_Modification,Critical_File_Modified,C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe,R,c:\windows\system32\drivers\vmmouse.sys,M
2012-03-05 16:56:37.000,MonitoredFile_Modification,Critical_File_Modified,C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe,R,c:\windows\system32\drivers\vmx_svga.sys,M

 

Cause

Known defect in SEP MR4, which is causing USN of read-only files to be modified during a scan:

Scanning a Read-Only file changed the file's Update Sequence Number (USN) in Windows Change Journal
Fix ID
: 1870333
Symptom: Backup software which relies on USN might believe the Read-Only file had been modified by the scan, and an unnecessary backup of the unchanged file could be initiated
Solution: The fix prevents USN updates by modifying the Read-Only attribute code to only run when threats are detected in a container and modifications to repair or delete are requested
 
This is fixed in RU6 (source: Release Notes - http://www.symantec.com/docs/TECH103087).
 

SCSP Agent is detecting this type of changes, therefore it is reporting misleading information to SCSP Server.

 

Resolution

Upgrade SEP client to 11.0 RU6 or newer.

 


Applies To

SCSP 5.2.8 Agent and SEP MR4 client on Windows OS.