My NIS recently found a trojan.gen file (tmp2b1.tmp in the c:\windows\temp folder). On looking further I discovered that trojan.gen files had been found on two previous occasions in the last 3 months always during full system scans.
As I use this pc for work purposes I was concerned about any compromised breaches of my security while using this pc so wanted to track down what this possibly meant. I gather that a trojan.gen is a file that is not identified as a specific variant but one that fits a pattern.
The interesting thing about all three is that NIS has identified that files as being on the computer roughly two minutes before the last used time which is when the file is quarantined by NIS. Now i can understand NIS finding it and then quarantining it within a few minutes but I would have thought that the create date for the files would not always be around two minutes before being found - or am I confusing what the on computer as at time means? If it is not when the file was actually physically placed in the computer then that would be a useful thing to have in the detailed analysis in order to track how the file came to be on the pc in the first place.
What I am trying to determine is if these files are false positives, perhaps a result of something that happens during the scan process or if they really are an indication of a trojan.
Since seeing these scan results I have done full system scans under safe mode plus used the nortons power eraser and all have come up clean so the pc should be sweet but work being work I don't want to take any chances. If they are really trojans then I want to stop what ever is happening for them to appear on the pc.
If anyone has any thoughts on this or a similiar experience would be interested to hear.
My NIS recently found a trojan.gen file (tmp2b1.tmp in the c:\windows\temp folder). On looking further I discovered that trojan.gen files had been found on two previous occasions in the last 3 months always during full system scans.
As I use this pc for work purposes I was concerned about any compromised breaches of my security while using this pc so wanted to track down what this possibly meant. I gather that a trojan.gen is a file that is not identified as a specific variant but one that fits a pattern.
The interesting thing about all three is that NIS has identified that files as being on the computer roughly two minutes before the last used time which is when the file is quarantined by NIS. Now i can understand NIS finding it and then quarantining it within a few minutes but I would have thought that the create date for the files would not always be around two minutes before being found - or am I confusing what the on computer as at time means? If it is not when the file was actually physically placed in the computer then that would be a useful thing to have in the detailed analysis in order to track how the file came to be on the pc in the first place.
What I am trying to determine is if these files are false positives, perhaps a result of something that happens during the scan process or if they really are an indication of a trojan.
Since seeing these scan results I have done full system scans under safe mode plus used the nortons power eraser and all have come up clean so the pc should be sweet but work being work I don't want to take any chances. If they are really trojans then I want to stop what ever is happening for them to appear on the pc.
If anyone has any thoughts on this or a similiar experience would be interested to hear.
OK, so not a corp product, so that the known detection for them does not apply.
I would say seeing as it is only every few weeks or so that a detection occurs in the temp\temp[random].temp that it is just Norton doing its job and detecting and deleing a file in the temp folder before it does harm.
Yes as Nortons reports that they have never been launched and are not start up items so assuming it is a real trojan then it has been zapped before it has done anything.
I would be really keen to find out what the on computer as at means though - do you know if that is when norton found it or when it was downloaded/dropped or whatever on the pc.
Ideally what I am trying to do is determine what activity is going on when these files are created in the hope that I might be able to roughly identify what is the source, eg perhaps it is when I am browsing web pages or plug in an external drive etc. If the on computer as at means when the file was created on my pc then I can probably figure what I was doing at that time. If it just means when norton found it then is there anyway to determine when the file was initially installed on the pc?
The date in the Norton history, is the date of detection / deletion.
The date the file was created on your system would be if the file was not detected and you right clicked the file and choose properties. Not advised, just leave it and Norton did its job.
I reckon it would be really useful if the scan history results also included the created date of the file. The scan process must be able to get that information so it would be nice if it reported that as well. Would be a useful clue to help track where it possibly came from, otherwise you are kind of in the dark as to when and how long the file has actually been on the computer. Just a thought....