After checking my norton logs, I saw these two entries which were dated very recently. I realize community submissions are normal, its the file submitted in these entries that caught me off gaurd. The fact that I wasn't idle while these entries were being created is also strange (there was even an entry for an idle quick scan immediatly after).
The statistical submission has the same information, except for a "Detection Digest" with some sample code. I've already updated and ran a full scan with Malwarebytes, which came up clean, but I'm still unsure.
Submissions are used to improve Norton's performance and detection abilities, and do not imply that there is anything that the user needs to be concerned about. In the case of statistical submissions, the Norton Intrusion Prevention System uses signatures to detect and block exploits that leverage vulnerabilities in software programs for the purpose of installing malware. When a new exploit is discovered a signature is created and distributed as quickly as possible in order to provide immediate protection. After this initial signature is released refinements are made to perfect a new signature that is smaller and more efficient. Because there is an increased likelihood of false positives the revised definition is first released as a test signature. When one of these test signatures is triggered it is reported back to Symantec as an IPS Detection Statistical Submission. These submissions help Symantec fine-tune the accuracy of the detections. Once testing is completed the initial signature will be replaced or updated with the improved version. While testing is in progress you are protected from the actual exploit by the originally released signature, which will trigger IPS to block, log, and alert you to any real attack. A statistical submission alone without a corresponding IPS action would indicate a false positive.
Reese Anschultz provides a couple of good explanations, which I have paraphrased here, in the following thread:
That certainly explains alot, and you are right, there was no IPS entry or notification. But what about the sample submission? Surely, something in the file must have triggered Norton, if it had to submit the actual file while the computer was still in use. Keep in mind it was just the file itself, no dll image or additional information like you would normally see.
I am familiar with community watch submissions and whatnot, but this didn't look anything like the rest.
Unfortunately, this does not appear to be an IDS Statistical submission so SendOfJive's links aren't as relevant as I would like them to be in this particular case. I don't know the exact triggering condition for this case but it appears that ~895.tmp made the Norton product curious enough about it to send more information back to Symantec for further analysis. It probably is just a file that we don't have any information about -- this was one of the first times we've seen it.
new_ton wrote:
[...]
Keep in mind it was just the file itself, no dll image or additional information like you would normally see.
[...]
It probably is either a DLL or traditional EXE file. Executable files don't have to end with .DLL or .EXE. You'll frequently see these files with .TMP extensions for downloaded content. If the file still exists at that location change its extension to .EXE and see if you can successfully get properties (such as version information) on it...
I don't know the exact triggering condition for this case but it appears that ~895.tmp made the Norton product curious enough about it to send more information back to Symantec for further analysis. It probably is just a file that we don't have any information about -- this was one of the first times we've seen it.
That is a bit alarming. So what happens once Symantec is done analyzing the file? If it does turn out to be malicious, will it be removed/quarantined?
reese_anschultz wrote:
It probably is either a DLL or traditional EXE file. Executable files don't have to end with .DLL or .EXE. You'll frequently see these files with .TMP extensions for downloaded content. If the file still exists at that location change its extension to .EXE and see if you can successfully get properties (such as version information) on it...
I tried to do as you said, but unfortunately, I am unable to locate the file anywhere. I even tried searching the whole C: drive to no avail.
That is a bit alarming. So what happens once Symantec is done analyzing the file? If it does turn out to be malicious, will it be removed/quarantined?
It's not being analyzed for malware type of content. Its attributes are likely being added to our list of files that exist. Alternatively, we determined that it isn't malware yet it looked suspicious for some reason and we need to figure out why it looked suspicious and how to prevent it from looking suspicious in the future.