Home

Windows 7 and Symantec Endpoint Protection - Possibly Deleting Media Center DLLs


Posted on: February 24th, 2010

Tagged:  

I logged in to my Windows 7 workstation this morning and there was a Symantec Endpoint Protection notification about a "Security Risk Found." There were 4 total notifications and it appears that SEP deleted encdec.dll from the winsxs directory and from the system32 directory.

Here is the text of the notifications SEP provided:


Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: Packed.Generic.271
File: C:\Windows\winsxs\x86_microsoft-windows-tvencdec_31bf3856ad364e35_6.1.7600.16385_none_e04e6c93efba3643\EncDec.dll
Location: C:\Windows\winsxs\x86_microsoft-windows-tvencdec_31bf3856ad364e35_6.1.7600.16385_none_e04e6c93efba3643
Computer: MYCOMPUTER
User: SYSTEM
Action taken: Pending Side Effects Analysis : Access denied
Date found: Wednesday, February 24, 2010 3:52:59 AM


Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: Packed.Generic.271
File: C:\Windows\winsxs\x86_microsoft-windows-tvencdec_31bf3856ad364e35_6.1.7600.16385_none_e04e6c93efba3643\EncDec.dll
Location: Quarantine
Computer: MYCOMPUTER
User: SYSTEM
Action taken: Reboot Required
Date found: Wednesday, February 24, 2010 4:00:50 AM


Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: Packed.Generic.271
File: C:\Windows\System32\EncDec.dll
Location: C:\Windows\System32
Computer: MYCOMPUTER
User: SYSTEM
Action taken: Pending Side Effects Analysis : Access denied
Date found: Wednesday, February 24, 2010 4:26:46 AM


Scan type: Auto-Protect Scan
Event: Security Risk Found!
Security risk detected: Packed.Generic.271
File: C:\Windows\System32\EncDec.dll
Location: Unknown Storage
Computer: MYCOMPUTER
User: SYSTEM
Action taken: Cleaned by Deletion
Date found: Wednesday, February 24, 2010 4:36:03 AM

According to this Symantec article - http://www.symantec.com/security_response/writeup.jsp?docid=2009-113011-... - Packed.Generic.271 is a heuristic-related detection so you may or may not be affected based on your heuristic settings in SEP.

From what I can tell this DLL is part of the Windows Media Center functionality built in to Windows 7. If SEP is really deleting a core DLL of Media Center there are going to be a lot of unhappy users out there when they can't watch they're DVR'd shows on their Media Centers.

If I find out more information I'll update this article.

Hoping your Media Center is OK,
Flux.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.