Risk log does not show complete path when detection is in a container (.cab) file
search cancel

Risk log does not show complete path when detection is in a container (.cab) file

book

Article ID: 282063

calendar_today

Updated On:

Products

Endpoint Protection Endpoint Security Endpoint Security Complete

Issue/Introduction

In the risk logs whenever container (Eg- .cab) file gets scanned it doesn't gives a full path and shows ">>" as below.

Scan Logs :

01:21:43.900260[_3372][_2956]|Resumable scan enumerating inside container file: \\?\C:\Users\Administrator\AppData\Local\Temp\aada2b4b-99pl-852u-89e7-2a4206a4f95d\bff9f452-5f3g-7845-85f6-76cb076f4be6\dcsagent.cab
01:21:44.708474[_3372][_2956]|Resumable scan enumerating inside container child: IPS\tools\sdcss_agent_mgmt.bat
01:21:44.712458[_3372][_2956]|Resumable scan enumerating inside container child: IPS\tools\GetAgentInfo.bat
01:21:44.853822[_3372][_2956]|**** Multiple infections found: 1
01:21:44.854084[_3372][_2956]|CSavScanSink::OnMultipleInfectionsFound - Start processing infections.
01:21:44.854667[_3372][_2956]|No volatile HID ccSettings key. sr=0x80000100
01:21:44.855150[_3372][_2956]|No volatile HID ccSettings key. sr=0x80000100
01:21:44.855291[_3372][_2956]|Found virus 'Trojan.Gen.NPE.C' with VID 58644, HID level = 0.
01:21:44.855412[_3372][_2956]|Compressed file infection is not exonerated for container \\?\C:\Users\Administrator\AppData\Local\Temp\aada2b4b-99pl-852u-89e7-2a4206a4f95d\bff9f452-5f3g-7845-85f6-76cb076f4be6\dcsagent.cab
01:21:44.855553[_3372][_2956]|Container required post infection handling.
01:21:44.855673[_3372][_2956]|CSavScanSink::IsYaraDetection Unable to get Yara information from SDS KVC.
01:21:44.856036[_3372][_2956]|No volatile HID ccSettings key. sr=0x80000100
01:21:44.856740[_3372][_2956]|Component[0] = 'IPS\tools\GetAgentInfo.bat'
01:21:44.857504[_3372][_2956]|Token: copied for user(SYSTEM):session(0)
01:21:44.857645[_3372][_2956]|Token Manager: Getting token for user(SYSTEM):session(0):key(1686122866)
01:21:44.857766[_3372][_2956]|Token: closed for user(SYSTEM):session(0)
01:21:44.857867[_3372][_2956]|Final flags for threat 'Trojan.Gen.NPE.C' are: Cleanable='Yes' Deletable='Yes' Macro='No'.

Environment

SEP 14.3.x

Cause

The child files scanned by Resume Task do not have a container file set. Therefore, the container file name (.zip/.cab) is missing from the AV log.

Resolution

This issue is fixed in Symantec Endpoint Security 14.3 RU9. For information on how to obtain the latest build of Symantec Endpoint Protection, see Download the latest version of Symantec Endpoint Protection.

Work Around:

To work around, modify scheduled scan settings by following either of the below:

Location: Login to the Symantec Endpoint Protection Manager > Policies > Virus and Spyware Protection Policy > Scheduled Scans > Edit one of the Scans > Schedule

      Option 1: “Scan until finished”.

      Option 2: Scan for up to x hours without enabling “Randomize …”

Additional Information

CRE-14688

Powered by Wolken Software