Software - - Anyone know if this is a false positive? - Page 3

Kraellin · #31 07-03-2007, 10:20 PM

gary,

yes, all of those files are there in the common files > symantec shared folders.

Gary Richardson · #32 07-04-2007, 02:22 AM

OK.

I've posted over at MRU (one of the forums I work), and hopefully someone with Ghost will come back to me and let me know if they're usual with that programme.

I can't see how they'd be there if you've formatted (other than from a Ghost install), but I'm puzzled why they all research as AV files/services.

I don't like unexplained phenomena as far as files are concerned. If I don't get an answer from MRU I'll chase Symantec and see what they have to say.

Gary Richardson · #33 07-05-2007, 04:43 AM

Craig, do you know which version of Ghost you are using?

Kraellin · #34 07-05-2007, 07:37 PM

it says norton ghost 10.0 when i start it up.

Gary Richardson · #35 07-06-2007, 01:27 AM

Thanks, having trouble getting any authoritative info, so sorry for the delay. Seems not as many people use Ghost as they once did.

Did get one reply from a very respected person in the Malware field, which is why I'm asking about the version.

Nothing malicious about any of those files/services, I'm just curious as to why they should be present.

Gary Richardson · #36 07-06-2007, 01:35 PM

Hi Craig,

Looks like those services are almost certainly tied to Ghost, however I'd like you to run a couple of tests for me if you will.

I'd like to establish without doubt that they're tied to Ghost, may come in useful to me if I have to help someone with an infected Ghost system in future.

click start> run type services.msc then click OK.
Scan down the list till you find Symantec Core LC
Double click on it to open it.
Click the dependancies tab
What is listed there?

If not listed in services.msc....

Click Start > Run type Notepad click OK.
This will open an empty Notepad file.
Copy/Paste the contents of the box below into Notepad.

Code:

@ echo off

sc enumdepend ccevtmgr >> %systemdrive%\depend.txt
sc enumdepend ccpwdsvc >> %systemdrive%\depend.txt
sc enumdepend ccsetmgr >> %systemdrive%\depend.txt
sc enumdepend "Symantec core LC" >> %systemdrive%\depend.txt
notepad %systemdrive%\depend.txt

Click Format and ensure Wordwrap is unchecked.
Save as ServExp.bat
Save as file type All Files or it won't work.
Now double click on ServExp.bat to run it.
A file depend.txt will be created in this location C:\depend.txt, please post the contents in your next reply.

If the C drive is not your system drive, it will be found in the root of the drive that is your system drive.

Kraellin · #37 07-06-2007, 11:00 PM

it's listed... Remote Procedure Call (RPC)

Gary Richardson · #38 07-07-2007, 12:17 AM

OK, can you run the batch file I described in my last post and post the txt file back here please.

We're hoping to get the databases updated at Castle Cops (the biggest online Malware database) so that in future people with Ghost don't get their services mistakenly removed by over zealous helpers (like me).

To do that we'll need to prove that these services are in fact being used by Ghost. Most users of Ghost also have a Symantec AV or IS programme installed as well, so it's difficult to establish just what files and services are discrete to a particular programme, and which are common to many.

It's amazing just how hard it's been to get any info on these services, everywhere seems to have the same info as CC has, and getting info from Symantec is like pushing a rope uphill. The tech support is run by idiots who only seem able to answer stock questions.

The txt file should hopefully give us some proof of dependancy.

Kraellin · #39 07-08-2007, 11:01 AM

hi gary,

ok, i created and ran the .bat file. here are the results:

Quote:

Enum: entriesRead = 0
Enum: entriesRead = 0
Enum: entriesRead = 1

SERVICE_NAME: ccEvtMgr
DISPLAY_NAME: Symantec Event Manager
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
Enum: entriesRead = 0

hope that helps.

Gary Richardson · #40 07-09-2007, 02:19 AM

Means nothing to me, but hopefully it means something to the person who asked for it.

Thanks Craig.

Kraellin · #41 07-09-2007, 08:08 AM

you're welcome. hope it helps.

basically, that little script just asked about the dependencies of those three services. it got 2 false and one positive. so, basically, it found one of those three in the services list and it's currently running in the background (odd, it shldnt be. but, that's norton for you).

now, i'm not as versed in this as i shld be, but i'm thinking that little script isnt going to tell the whole story on those dependencies. it will only be able to see those dependencies on active services or services listed. i think some services wont even be listed until you run a given program, but i may be wrong on that. and if i happened to disable some things in my startup, which i do, those services may not be listed until i call up the file. but again, i may be wrong on that.

and that reminds me, i shld go to blackviper.com again

Gary Richardson · #42 07-09-2007, 12:33 PM

Yup, that's pretty much it. (When I said I didn't know I was being a tad flippant

)

Anyway, the database at CastleCops has now been updated as a result of your little "problem", which should prevent others mis-identifying these services.

Quote:

O23 List of Windows XP/NT services
Field Value
Name Symantec Event Manager (ccEvtMgr)
Command ccEvtMgr.exe
Status L
Description Norton/Symantec Products Common service entries associated with versions of Norton Anti Virus, Norton SystemWorks, Norton Internet Security Suite and/or Norton Ghost

The others have been similarly changed.

Thank you for helping clarify things.

Kraellin · #43 07-09-2007, 09:25 PM

thanks, gary. glad if it's of some use.