Author Topic: Symantec Reporting infected File  (Read 581 times)

Offline icon27

  • Newbie
  • *
  • Posts: 3
    • View Profile
Symantec Reporting infected File
« on: August 20, 2021, 07:28:14 AM »
Good day,
Symantec Endpoint Protection has reported an infected file from Patch my PC Malware WS.Reputation.1.
Hash: 4F99744DAB18A2D7613BD0D2A5D9C3B32EFBD962075E3DE928B310975ED668CB

« Last Edit: August 20, 2021, 08:41:04 AM by icon27 »

Offline Jake Shackelford (Patch My PC)

  • Administrator
  • Newbie
  • *****
  • Posts: 23
    • View Profile
Re: Symantec Reporting infected File
« Reply #1 on: August 20, 2021, 07:43:22 AM »
Do you know what file caused this scan to alert you?

Offline Cody Mathis

  • Administrator
  • Jr. Member
  • *****
  • Posts: 84
    • View Profile
Re: Symantec Reporting infected File
« Reply #2 on: August 20, 2021, 07:46:42 AM »
Hi there!

What is the specific file that is triggering this?

I suspect this is PatchMyPC-ScriptRunner.exe. This file is updated somewhat regularly and because of this Symantec will trigger on it occasionally. Note the 'Current Reputation' and 'Historical Reputation' that 'There is some evidence that this file is trustworthy'

When we first update this binary we see the occasional customer who will have this flagged. As more customers update and Symantec is aware of the file the alerts stop based n their updated definitions.

For more context, ScriptRunner is our wrapper for doing installations and does have bits of code that can do a lot of tasks as system and can be a trigger to AV. This includes user impersonation and querying various bits of system information.

Are you possibly able to trust a signing certificate?

Offline icon27

  • Newbie
  • *
  • Posts: 3
    • View Profile
Re: Symantec Reporting infected File
« Reply #3 on: August 20, 2021, 07:52:27 AM »
Trying to identify the file now and will report once found. I will also look at trusting the cert. First time reporting to PMP...  :D
Thanks for the reply

Offline icon27

  • Newbie
  • *
  • Posts: 3
    • View Profile
Re: Symantec Reporting infected File
« Reply #4 on: August 20, 2021, 08:39:32 AM »
It is the ScriptRunner file that is causing the false positive. thank you for all the info.. Have a great day.