While analyzing memory dumps from a Windows or Linux system where Symantec Endpoint Protection is installed, using e.g. Volatility (an open-source, advanced memory forensics framework), you come across strange strings, such as hxxp://gay.porn.com, as well as references to viagra and BDSM.
Symantec Endpoint Protection 12.1 or higher
Symantec Endpoint Protection for Linux 12.1 RU5 or higher
These were confirmed to be the strings from the virus definitions loaded into SEP process memory.
To confirm the findings, the command “strings2.exe –pid <ccSvcHst.exe process_id > process_strings.txt” was run on a Linux system with Symantec Endpoint Protection for Linux installed and the resulting text file analyzed:
On a Windows system, the strings from “C:\Program Files (x86)\Symantec\Symantec Endpoint Protection\<version>\Bin\ccSvcHst.exe” executable were dumped and confirmed to contain the same strings and patterns.
Subscribing will provide email updates when this Article is updated. Login is required.