Trojan: 'Win32/Swrot.A' False positive?

While analyzing malware detection logs via Microsoft Systems Center Endpoint Protection, I noticed that there were several entries for the following infection: 

Trojan: Win32/Swrot.A 

Further investigation shows the malicious file was identified in the following directory: 

C:\Windows\smpsvc.exe (VFS:Inchsvc.exe)

No details are provided and I can't seem to find the files under quarantine. All that's present in the quarantine directory are unspecified files with SID like names in the title. 

Wondering if anyone has seen this before. I've googled the service but I haven't found anything that seems like this service would be malicious. 
Asked Jul 23 '14 at 12:16
Add a comment

1 Answer

Turns out this was a false positive. Win32/Swrot.A turned out to be linked to a smpsvc.exe which is a legit service is installed by Symantec Endpoint Protection. When SEP isn't removed completely from a server/workstation, the remnant files will set off false positives when scanning with Microsoft System Center Endpoint Protection.

Detection location: C:\Windows\smpsvc.exe (VFS:Inchsvc.exe)
Answered Jul 28 '14 at 13:14
Add a comment

Know someone who can answer? Share a link to this question via email, Google+, Twitter, or Facebook.

Your Answer

Not the answer you're looking for? Ask your own question.