search cancel

A Forensic Investigation Uncovered Strange Strings in Memory Dumps

book

Article ID: 163950

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

While analyzing memory dumps from a Windows or Linux system where Symantec Endpoint Protection is installed, using e.g. Volatility (an open-source, advanced memory forensics framework), you come across strange strings, such as hxxp://gay.porn.com, as well as references to viagra and BDSM.

Environment

Symantec Endpoint Protection 12.1 or higher
Symantec Endpoint Protection for Linux 12.1 RU5 or higher

Resolution

These were confirmed to be the strings from the virus definitions loaded into SEP process memory.
 
To confirm the findings, the command “strings2.exe –pid <ccSvcHst.exe process_id > process_strings.txt” was run on a Linux system with Symantec Endpoint Protection for Linux installed and the resulting text file analyzed:

On a Windows system, the strings from “C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\<version>\Bin\ccSvcHst.exe” executable were dumped and confirmed to contain the same strings and patterns.

Attachments