SEPM 12.1.4023.4080 and SEP version 12.1.4013.4013 on Windows XP SP3. SEPM is configured to send email notification.
I received the following notification in February 2014:
At least one security risk found: Risk name: W32.IRCBot File path: e:\data\system\xp.exe Event time: Feb 21, 2014 3:26:37 PM Database insert time: Feb 24, 2014 10:28:16 AM Source: DefWatch Description: "" User: SYSTEM Computer: NETVISTA IP Address: 192.168.20.25 Domain: Default Server: SEPMSERVER Client Group: My Company\MY Antivirus Action taken on risk: Details pending This alarm was generated at Feb 24, 2014 10:30:49 AM (Reporter host Time).
I went to the affected computer to find out what is going on. Show hidden files and folders is selected and Hide protected OS files (Recommended) is UNselected. E drive is a 2GB flash drive. I can't find anything. Data folder does not even exist in the E drive. Then I formatted E (flash drive) just to be sure that the offending EXE file is erased. I also did a full scan on that computer hard drive and flash drive (before formatting the flash drive). Nothing found.
I got another email notification earlier today:
At least one security risk found: Risk name: W32.IRCBot File path: e:\data\system\xp.exe Event time: Mar 11, 2014 2:29:56 PM Database insert time: Mar 11, 2014 2:30:56 PM Source: DefWatch Description: "" User: SYSTEM Computer: NETVISTA IP Address: 192.168.20.25 Domain: Default Server: SEPMSERVER Client Group: My Company\MY Antivirus Action taken on risk: Cleaned by deletion This alarm was generated at Mar 11, 2014 2:33:16 PM (Reporter host Time).
What is going on here? The user has not used the flash drive anywhere else except that same (NETVISTA) computer that she's been using since February.