search cancel

A Forensic Investigation Uncovered Strange Strings in Memory Dumps


Article ID: 163950


Updated On:


Endpoint Protection


While analyzing memory dumps from a Windows or Linux system where Symantec Endpoint Protection is installed, using e.g. Volatility (an open-source, advanced memory forensics framework), you come across strange strings, such as hxxp://, as well as references to viagra and BDSM.


Symantec Endpoint Protection 12.1 or higher
Symantec Endpoint Protection for Linux 12.1 RU5 or higher


These were confirmed to be the strings from the virus definitions loaded into SEP process memory.
To confirm the findings, the command “strings2.exe –pid <ccSvcHst.exe process_id > process_strings.txt” was run on a Linux system with Symantec Endpoint Protection for Linux installed and the resulting text file analyzed:

On a Windows system, the strings from “C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\<version>\Bin\ccSvcHst.exe” executable were dumped and confirmed to contain the same strings and patterns.