Blog: antivirus

Running host-based anti-malware software is a very good idea, but sometimes things can slip through.  You can't trust an infected machine to tell you whether it's infected or not.  Microsoft has System Sweeper, which boots from another media and will scan a Windows machine.  There is one version for 32 bit Windows and one for 64 bit Windows.
 
https://connect.microsoft.com/systemsweeper
 
Kaspersky Labs has a Rescue Disk that will also scan a Windows machine offline.
 
https://support.kaspersky.com/faq/?qid=208282173
                                                           
If malware is discovered I would recommend rebuilding the system and restoring the data.  In my opinion, these tools should be used periodically to determine to some extent that a system is malware free.  Of course, it is a judgment call, depending on what is found.

I was recently attempting to install McAfee Antivirus install on a PC and it would not complete due to an error stating that it was not a valid executable file.  During one of the many attempts it also stated that the “Installation failed, please contact your network administrator”.  The PC was running very slow and I attributed this to its age and RAM.  After further investigation it was discovered that there were over 18,000 folders in the C:\windows\temp directory.  After deleting these folders the machines performance improved greatly and the Mcafee install went through the first try.   Don’t forget to try clearing out your temp folder if you are experiencing performance issues or an installation problem.

I have been looking for a multi-purpose network monitoring tool for use at several network customer location and came across a light-weight app called SpiceWorks. Its open source and has a number of nice features. Here is a list of some of the most useful ones

• Schedulable network scans based on domain name or subnet
• Asset classification based on collected data
• Software inventory (including MS patches)
• Basic service/system alerts & monitoring
• User knowledge base portal w/integrated ticketing system
• Warranty lookup for monitored assets
• Antivirus tracking (no AV, outdated defs, versions, etc) for a number of popular packages
  

An issue has been identified in the Symantec Endpoint Protection Manager (SEPM) which causes Security Content newer than 12/31/2009 11:59 PM to be considered older than content previous to that date/time. As a temporary workaround, Symantec is currently not incrementing the date on Symantec Endpoint Protection (SEP) Security Content and instead is only incrementing the revision number of the content. A message from Symantec provides this more detailed explanation: "As of early Sunday, January 3, 2010, the Symantec Endpoint Protection antivirus definition version "12/31/2009 rev. 114" has been published. Rev 114 includes all the latest definitions through Jan-2-2010."

As of today, January 5, 2010, CoNetrix definitions are showing a revision number of 116. The revision number should continue to increase as evidence of ongoing updates. [more]

This issue has been identified in the Symantec Endpoint Protection Manager (SEPM) and effects the following products:

• Symantec Endpoint Protection v11.x Product Line
• Symantec Endpoint Protection Small Business Edition v12.x Product Line
• Products which rely on Symantec Endpoint Protection for definition updates (e.g. Symantec Mail Security for Microsoft Exchange or Symantec Mail Security for Domino)

There are no required customer actions for this issue. More specifically, there are no changes an administrator needs to apply in order for the above mitigation to be successful.

For more information, see the following Symantec Knowledge Base article: http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010010308571348

Recently a customer had opened a phishing e-mail making rounds starting around the first of September.  This was an e-mail that is reported as an IRS version of Zeus Bot (some additional info: http://garwarner.blogspot.com/2009/09/irs-version-of-zeus-bot-continues.html).

After the virus definitions caught up with this, it was quarantined off and seemed to only affect the user profile on the terminal server where it was opened.  However, users started reporting also that Internet Explorer was crashing randomly. [more]

Looking through the event logs, I could see that IE was crashing from a faulting module named RASADHLP.dll.   This file is a remote access dialup helper and shouldn’t even be in use.  After comparing the files in Windows\system32 directory with another terminal server at the location, the files appeared identical.  However, the problematic server had another copy of RASADHLP.dll under C:\Program Files\Internet Explorer.

Further investigation of this file showed the creation date as the same day that the user received and opened the phishing e-mail.  Also it showed the user as the Owner of that file.  It is likely that IE was trying to use this file in it’s program directory first before the one in system32.

After renaming the file, IE was working without any problems.  The file was removed from the system.  Users running as non-admins likely helped to isolate the malware, but it still had written a bogus file to IE’s program directory.

I had a customer that had a “virus detected” warning pop-up on the server every morning.  She tried to do LiveUpdate (as the warning suggested), but it would fail (the AV is way out-of-date).  She was sure there was a problem with the definitions.  I checked the server, and all the definitions on the server and clients were current.  I got to looking, and it appears the alerts were coming from viruses in the server’s quarantine.  Apparently a virus had been detected and cleaned, but when the backup job would try to access the quarantine, it would see the virus and pop-up the warning message.  I cleared the quarantine and the pop-ups stopped.

AVG recently released an update that mistakenly identified a valid user32.dll file as containing a virus.  It instructs users to delete the file, which of course makes the system unbootable.  This affects AVG 7.5 and 8.0 running on Windows XP.  AVG says this only affects a few non-English versions, but the volume of reported incidents indicates this may not be completely accurate. [more]

• http://www.avg.com/support
• http://www.tomshardware.com/news/avg-antivirus-virus-removal,6587.html
• http://www.winhelponline.com/blog/avg-false-positive-user32-dll-restore-tool

I was testing Symantec Endpoint Protection for a short while. After uninstalling endpoint protection I began receiving an error every time that I opened outlook. The error said something to the effect of “Unable to load Add-on please uninstall”.

In Outlook 2003 you should be able to simply remove the add-on within the add-on manager. In Outlook 2007 though it requires a different method. I had to delete a file called Extend.dat (location: C:\Documents and Settings\%username%\Local Settings\Application Data\Microsoft\Outlook) which is the file that stores the cached add-ons. After running Outlook again this file was recreated but this time Outlook did not give me an add-on error.  This seems to apply to other add-ons as well. While searching the web I saw people report that this also works for similar errors after uninstalling AVG antivirus.

I was working on a server that was running low on disk space on the system (C:) partition.  I was able to free up some space rather quickly (by removing the Automatic Update downloads), but when I checked the Event Logs, the Application log was filling up with errors from SMS for Exchange.  The message was that the virus definitions were corrupted.  It appeared that the XDB down script had run around lunch time and updated the virus definitions, but wasn’t able to complete the install due to low disk space.  Despite the partial install, SMS for Exchange appeared to be trying to use the corrupted definitions.  When I tried to run LiveUpdate (as recommended by the Event Log message), LiveUpdate said everything was current.  People were starting to have problems with their e-mail (and for some reason the server was beeping irregularly on site).  I stopped the SMS for Exchange service (which fixed the e-mail and the beep), but the service wouldn’t restart.  I tried restarting the main Antivirus service as well, and it would not restart (also because of corrupt virus definitions).  I had to manually stop all the Symantec services, remove the partially installed virus definitions from the C:\Program Files\Common Files\Symantec Shared\VirusDefs folder, manually edit the USAGE.dat file (which tells the Symantec products which defs to use), then restart the services.  Once the services were up and running on the previous virus defs, I was  able to re-run the XDB down script and let it update the defs to the most current.