TFawkes

@shadowwar To confirm your recommendation you are saying to disable scan for rootkit in all of our policies and only enable it when we have a malware detection that keeps coming back? We have a scheduled daily scan on all of our endpoints in the evenings after business hours, would you recommend turning on Scan for rootkits for that or leaving it totally disabled until we run into a persistent detection?

@shadowwar Noticed that you requested the MD5 hash previously as well. It is 0e2b0acb68abbb2df2687b31c793b20b Also zipped and attached file for good measure. spoolsv.zip

@shadowwar Scan for rootkits is enabled in the policy applied to these endpoints, yes.

Had the same detection on 3 of our systems about three hours ago. Ran the spoolsv.exe through virustotal which came up with detection on Avira and F-Secure. We are running endpoint protection. All endpoints had the following MWB Installation information: Engine Version: 1.2.0.793 Asset Manager: 1.2.0.330 Endpoint Protection: 1.2.0.831 Endpoint Protection Protection Update: 1.0.17136 Component Package Version: 1.0.651