Home

Windows 7 and Symantec Endpoint Protection - Possibly Deleting Media Center DLLs

- Posted on February 24th, 2010
Tagged:  

I logged in to my Windows 7 workstation this morning and there was a Symantec Endpoint Protection notification about a "Security Risk Found." There were 4 total notifications and it appears that SEP deleted encdec.dll from the winsxs directory and from the system32 directory.

Here is the text of the notifications SEP provided:


Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: Packed.Generic.271
File: C:\Windows\winsxs\x86_microsoft-windows-tvencdec_31bf3856ad364e35_6.1.7600.16385_none_e04e6c93efba3643\EncDec.dll
Location: C:\Windows\winsxs\x86_microsoft-windows-tvencdec_31bf3856ad364e35_6.1.7600.16385_none_e04e6c93efba3643
Computer: MYCOMPUTER
User: SYSTEM
Action taken: Pending Side Effects Analysis : Access denied
Date found: Wednesday, February 24, 2010 3:52:59 AM


Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: Packed.Generic.271
File: C:\Windows\winsxs\x86_microsoft-windows-tvencdec_31bf3856ad364e35_6.1.7600.16385_none_e04e6c93efba3643\EncDec.dll
Location: Quarantine
Computer: MYCOMPUTER
User: SYSTEM
Action taken: Reboot Required
Date found: Wednesday, February 24, 2010 4:00:50 AM


Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: Packed.Generic.271
File: C:\Windows\System32\EncDec.dll
Location: C:\Windows\System32
Computer: MYCOMPUTER
User: SYSTEM
Action taken: Pending Side Effects Analysis : Access denied
Date found: Wednesday, February 24, 2010 4:26:46 AM


Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: Packed.Generic.271
File: C:\Windows\System32\EncDec.dll
Location: Unknown Storage
Computer: MYCOMPUTER
User: SYSTEM
Action taken: Cleaned by Deletion
Date found: Wednesday, February 24, 2010 4:36:03 AM

According to this Symantec article - http://www.symantec.com/security_response/writeup.jsp?docid=2009-113011-... - Packed.Generic.271 is a heuristic-related detection so you may or may not be affected based on your heuristic settings in SEP.

From what I can tell this DLL is part of the Windows Media Center functionality built in to Windows 7. If SEP is really deleting a core DLL of Media Center there are going to be a lot of unhappy users out there when they can't watch they're DVR'd shows on their Media Centers.

If I find out more information I'll update this article.

Hoping your Media Center is OK,
Flux.

Bookmark/Search this post with
  • Twitter
  • Digg
  • del.icio.us
  • StumbleUpon
  • Facebook
  • Google
  • LinkedIn
  • MySpace
  • Newsvine
  • Reddit
  • SlashDot
  • Yahoo