SEPM Version: 12.1.4104.4130
I recently was contacted by the SOC team of the following issue:
the Symantec log files have the word “null” instead of “,” in them now as opposed to back on July 17 when we saw the last alert. See for example if I looked for logs with “cleaned by deletion” what logs looked like then as opposed to what they look like now.
Then
2014/07/17 06:01:32.353 CDT 165.136.218.94 Jul 17 06:53:28 SymantecServer USORSMS182: Virus found,IP Address: 10.145.50.147,Computer name: 63CQ6BS,Source: Real Time Scan,Risk name: Trojan.ADH.2,Occurrences: 1,C:\ProgramData\Symantec\SRTSP\Quarantine\APQ2793.tmp,"",Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2014-07-15 11:20:59
Now
2014/08/04 08:56:52.129 CDT 165.136.218.94 Aug 4 09:42:22 SymantecServer USORSMS182: Virus foundnullIP Address: 192.168.20.120nullComputer name: 4G57LQ1nullSource: Real Time ScannullRisk name: Trojan.SemnagernullOccurrences: 1nullC:\Users\vosed\AppData\Roaming\Movies Toolbar\SafetyNut\components\SafetyNutHlpFF31.dllnull""nullActual action: Cleaned by deletionnullRequested action: CleanednullSecondary action: QuarantinednullEvent time: 2014-08-03 23:01:18nullInserted
One of the rules depends on actions listed in a watchlist to alert. The items in the watchlist obviously do not have null appended to them so I suspect that may be part of our problem.