Trojan: 'Win32/Swrot.A' False positive?

While analyzing malware detection logs via Microsoft Systems Center Endpoint Protection, I noticed that there were several entries for the following infection:

Trojan: Win32/Swrot.A

Further investigation shows the malicious file was identified in the following directory:

C:\Windows\smpsvc.exe (VFS:Inchsvc.exe)

No details are provided and I can't seem to find the files under quarantine. All that's present in the quarantine directory are unspecified files with SID like names in the title.

Wondering if anyone has seen this before. I've googled the service but I haven't found anything that seems like this service would be malicious.

Asked Jul 23 '14 at 12:16

ghostisic

Add a comment

1 Answer

Turns out this was a false positive. Win32/Swrot.A turned out to be linked to a smpsvc.exe which is a legit service is installed by Symantec Endpoint Protection. When SEP isn't removed completely from a server/workstation, the remnant files will set off false positives when scanning with Microsoft System Center Endpoint Protection.

Detection location: C:\Windows\smpsvc.exe (VFS:Inchsvc.exe)

Answered Jul 28 '14 at 13:14

ghostisic

Add a comment

Know someone who can answer? Share a link to this question via email, Google+, Twitter, or Facebook.

Your Answer

Not the answer you're looking for? Ask your own question.

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.