SCEP deleted a network file instead of quarantining it (Network Steve Forum)

SCEP deleted a network file instead of quarantining it

I have the Malware Policy default actions for our SCCM EP clients set at:

Severe - Quarantine

High - Quarantine

Medium - Quarantine

Low - Allow.

However, recently, an executable file to run backups on client PCs that was compiled by one of our managers has been seen by SCEP as a virus labelled as Trojan:Win32/Pocyx.F!plock. I suspect it is related to the program that complied the script.

But my question is SCEPs behavior. It just deletes the file when we place it somewhere not in my Exclusion path. I have seen it disappear on a network share just seconds after placing it there, as well as a users desktop when copied there from elsewhere.

I'm not sure how to affect this behavior, how/where it is defined to just obliterate it without sending it to Quarantine.

Any thought would be appreciated.

September 3rd, 2015 7:17pm

So if you execute MpCmdRun.exe -Restore -ListAll the detected item is not listed?

(https://support.microsoft.com/en-us/kb/2834037)

What does the event viewer System log show? There should be an event with Source "Microsoft Antimalware" that shows what action was taken and the action status. There may have been an error/failure during the quarantine operation.

Free Windows Admin Tool Kit Click here and download it now

September 3rd, 2015 8:54pm

I did find 6 entries on the clients PC in the c:\program data\microsoft\microsoft antimalware\quarantine\entries folder.

In the System events, I found multiple entries:

Microsoft Antimalware has detected malware or other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Pocyx.F!plock&threatid=2147694602&enterprise=1
Name: Trojan:Win32/Pocyx.F!plock
ID: 2147694602
Severity: Severe
Category: Trojan
Path: file:_C:\Users\user\Downloads\InstallBackup-Win7-6.0 (1).exe;webfile:_c:\ProgramData\Microsoft\Microsoft Antimalware\LocalCopy\{BC4C6EEE-B565-42F9-B495-2C41D51DEED1}-InstallBackup-Win7-6.0 (1).exe|http://4040.taylor.edu/utilities/BackupUtility/InstallBackup-Win7-6.0.exe;webfile:_C:\Users\user\Downloads\InstallBackup-Win7-6.0 (1).exe|http://4040.taylor.edu/utilities/BackupUtility/InstallBackup-Win7-6.0.exe
Detection Origin: Internet
Detection Type: Dynamic Signature
Detection Source: Downloads and attachments
User: domain\user
Process Name: Unknown
Signature Version: AV: 1.205.1374.0, AS: 1.205.1374.0, NIS: 115.17.0.0
Engine Version: AM: 1.1.12002.0, NIS: 2.1.11804.0

I looked on the Clients pc and Endpoint Protection showed the 6 infections and I Removed them.

The other PCs are showing the quarantined files as they should. The only one that does not is mine. I will consider that an aberration and not worry about that. The only other issue I need to resolve now is to configure the policy to notify the user that a file was sent to Quarantine.

September 4th, 2015 6:39pm

This topic is archived. No further replies will be accepted.