RE: False-positives on Vipre this morning
Joe Frederick here at Sunbelt is takes with handling FP's when they come up. You can report these directly to him. He's cc-d. Warm regards, Stu Sjouwerman Co-Founder, Publisher, Sunbelt Media P: +1-727-562-0101 ext 218 F: +1-727-562-5199 s...@sunbelt-software.com -Original Message- From: Angus Scott-Fleming [mailto:angu...@geoapps.com] Sent: Friday, March 26, 2010 1:01 AM To: NT System Admin Issues Subject: Re: False-positives on Vipre this morning On 25 Mar 2010 at 22:57, Burian, Matthew J. (mjb) wrote: That one file you saw in the recycle bin sounds very similar in name to the Microsoft Antimalware process of MsMpEng.exe used in OneCare and now used in Security Essentials. (Also may be used with Windows Defender??) Just an interesting, though probably unrelated similarity in file naming. Probably an intentional mis-naming by the malware. Actually it turned out to be a true nasty trojan, not an FP (although I had those today also*). Info pages here: W32/IRCbot.gen.aj http://vil.nai.com/vil/content/v_252087.htm W32/Rimecud http://vil.nai.com/vil/content/v_237984.htm My infections had the filename of the first of those but the exact file- location and registry-keys of the second. VIPRE identified them as Worm.Win32.Rimecud [where DO they get these names???] and the VIPRE info page (doesn't say anything useful, unfortunately) is here: http://www.sunbeltsecurity.com/ThreatDisplay.aspx?name=Worm.Win32.Rimecudtid=4268277cs=50289929C7DB40A0D03710195D3B1B1C or here if the above wraps unusably: http://preview.tinyurl.com/ydtnjw6 I had three machines where the VIPRE Deep Scan found this. I need to make sure I get Deep Scans on the rest of the network RSN as this spreads via network shares among other methods. Angus * FPs on half a dozen files in hidden directory C:\hp\recovery\wizard\fsadmin\ on one XP Home machine that still sits on my network. Submitted them to Sunbelt after dealing with Rimecud. No answer yet, but it was after 9 PM Florida time when I submitted them. -- Angus Scott-Fleming GeoApps, Tucson, Arizona 1-520-290-5038 Security Blog: http://geoapps.com/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ .. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: False-positives on Vipre this morning
Darn spelling correction! :-) is tasked with Warm regards, Stu Sjouwerman Co-Founder, Publisher, Sunbelt Media P: +1-727-562-0101 ext 218 F: +1-727-562-5199 s...@sunbelt-software.com -Original Message- From: Stu Sjouwerman [mailto:s...@sunbelt-software.com] Sent: Friday, March 26, 2010 12:15 PM To: NT System Admin Issues Cc: Joe Frederick Subject: RE: False-positives on Vipre this morning Joe Frederick here at Sunbelt is takes with handling FP's when they come up. You can report these directly to him. He's cc-d. Warm regards, Stu Sjouwerman Co-Founder, Publisher, Sunbelt Media P: +1-727-562-0101 ext 218 F: +1-727-562-5199 s...@sunbelt-software.com -Original Message- From: Angus Scott-Fleming [mailto:angu...@geoapps.com] Sent: Friday, March 26, 2010 1:01 AM To: NT System Admin Issues Subject: Re: False-positives on Vipre this morning On 25 Mar 2010 at 22:57, Burian, Matthew J. (mjb) wrote: That one file you saw in the recycle bin sounds very similar in name to the Microsoft Antimalware process of MsMpEng.exe used in OneCare and now used in Security Essentials. (Also may be used with Windows Defender??) Just an interesting, though probably unrelated similarity in file naming. Probably an intentional mis-naming by the malware. Actually it turned out to be a true nasty trojan, not an FP (although I had those today also*). Info pages here: W32/IRCbot.gen.aj http://vil.nai.com/vil/content/v_252087.htm W32/Rimecud http://vil.nai.com/vil/content/v_237984.htm My infections had the filename of the first of those but the exact file- location and registry-keys of the second. VIPRE identified them as Worm.Win32.Rimecud [where DO they get these names???] and the VIPRE info page (doesn't say anything useful, unfortunately) is here: http://www.sunbeltsecurity.com/ThreatDisplay.aspx?name=Worm.Win32.Rimecudtid=4268277cs=50289929C7DB40A0D03710195D3B1B1C or here if the above wraps unusably: http://preview.tinyurl.com/ydtnjw6 I had three machines where the VIPRE Deep Scan found this. I need to make sure I get Deep Scans on the rest of the network RSN as this spreads via network shares among other methods. Angus * FPs on half a dozen files in hidden directory C:\hp\recovery\wizard\fsadmin\ on one XP Home machine that still sits on my network. Submitted them to Sunbelt after dealing with Rimecud. No answer yet, but it was after 9 PM Florida time when I submitted them. -- Angus Scott-Fleming GeoApps, Tucson, Arizona 1-520-290-5038 Security Blog: http://geoapps.com/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ .. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: False-positives on Vipre this morning
ASF: * FPs on half a dozen files in hidden directory C:\hp\recovery\wizard\fsadmin\ on one XP Home machine that still sits on my network. Submitted them to Sunbelt after dealing with Rimecud. No answer yet, but it was after 9 PM Florida time when I submitted them. On 26 Mar 2010 at 12:14, Stu Sjouwerman wrote: Joe Frederick here at Sunbelt is takes with handling FP's when they come up. You can report these directly to him. He's cc-d. Thanks, Stu. I already had, I think via the web form, and he got back to me this morning confirming their FP-ness. -- Angus Scott-Fleming GeoApps, Tucson, Arizona 1-520-290-5038 Security Blog: http://geoapps.com/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: False-positives on Vipre this morning
Excellent !! Warm regards, Stu Sjouwerman Co-Founder, Publisher, Sunbelt Media P: +1-727-562-0101 ext 218 F: +1-727-562-5199 s...@sunbelt-software.com -Original Message- From: Angus Scott-Fleming [mailto:angu...@geoapps.com] Sent: Friday, March 26, 2010 1:39 PM To: NT System Admin Issues Subject: Re: False-positives on Vipre this morning ASF: * FPs on half a dozen files in hidden directory C:\hp\recovery\wizard\fsadmin\ on one XP Home machine that still sits on my network. Submitted them to Sunbelt after dealing with Rimecud. No answer yet, but it was after 9 PM Florida time when I submitted them. On 26 Mar 2010 at 12:14, Stu Sjouwerman wrote: Joe Frederick here at Sunbelt is takes with handling FP's when they come up. You can report these directly to him. He's cc-d. Thanks, Stu. I already had, I think via the web form, and he got back to me this morning confirming their FP-ness. -- Angus Scott-Fleming GeoApps, Tucson, Arizona 1-520-290-5038 Security Blog: http://geoapps.com/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ .. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: False-positives on Vipre this morning
All our dellephants are working fine this morning. HOWEVER, 16 of these workstations were built with a DVD our help desk person made (slipstreamed w/SP3 and MS patches to date). It seems some OEM drivers, most of which are in the .\i386 folder, are being flagged. To date, we've had two NVidia and one Creative Labs driver set off alarms. (For some reason, VIPRE sends me two notices for each alarm. It's just So Much Fun to wake up and see 32 VIPRE events! -- Richard D. McClary Systems Administrator, Information Technology Group ASPCA® 1717 S. Philo Rd, Ste 36 Urbana, IL 61802 richardmccl...@aspca.org P: 217-337-9761 C: 217-417-1182 F: 217-337-9761 www.aspca.org The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals® (ASPCA ®) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. John Aldrich jaldr...@blueridgecarpet.com wrote on 03/25/2010 07:33:49 AM: Still on the old version of Vipre Enterprise (waiting for more bugs to be squished. J) This morning I got a warning about some stuff on HP computers. I?m pretty sure it?s going to be a false positive, but I thought I?d ask if anyone else is having problems with stuff under c:\hp\recovery\wizard\fscommand?. [image removed] [image removed] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: False-positives on Vipre this morning
Interesting. I posted on the Sunbelt forum as well, so maybe I'll hear something back. I don't recall ever hearing anything back from Sunbelt if I just submit the suspected false-positives to Sunbelt from the console. John-AldrichTile-Tools From: richardmccl...@aspca.org [mailto:richardmccl...@aspca.org] Sent: Thursday, March 25, 2010 9:10 AM To: NT System Admin Issues Subject: Re: False-positives on Vipre this morning All our dellephants are working fine this morning. HOWEVER, 16 of these workstations were built with a DVD our help desk person made (slipstreamed w/SP3 and MS patches to date). It seems some OEM drivers, most of which are in the .\i386 folder, are being flagged. To date, we've had two NVidia and one Creative Labs driver set off alarms. (For some reason, VIPRE sends me two notices for each alarm. It's just So Much Fun to wake up and see 32 VIPRE events! -- Richard D. McClary Systems Administrator, Information Technology Group ASPCAR 1717 S. Philo Rd, Ste 36 Urbana, IL 61802 richardmccl...@aspca.org P: 217-337-9761 C: 217-417-1182 F: 217-337-9761 http://www.aspca.org/ www.aspca.org The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to AnimalsR (ASPCAR) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. John Aldrich jaldr...@blueridgecarpet.com wrote on 03/25/2010 07:33:49 AM: Still on the old version of Vipre Enterprise (waiting for more bugs to be squished. J) This morning I got a warning about some stuff on HP computers. I'm pretty sure it's going to be a false positive, but I thought I'd ask if anyone else is having problems with stuff under c:\hp\recovery\wizard\fscommand.. [image removed] [image removed] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~image001.jpgimage002.jpg
RE: False-positives on Vipre this morning
Those reports that you submit from the console do get read and acted upon. I will check into this report. Alex From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Thursday, March 25, 2010 9:17 AM To: NT System Admin Issues Subject: RE: False-positives on Vipre this morning Interesting. I posted on the Sunbelt forum as well, so maybe I'll hear something back. I don't recall ever hearing anything back from Sunbelt if I just submit the suspected false-positives to Sunbelt from the console. [cid:image001.jpg@01CACC17.5AEC2520][cid:image002@01cacc17.5aec2520] From: richardmccl...@aspca.org [mailto:richardmccl...@aspca.org] Sent: Thursday, March 25, 2010 9:10 AM To: NT System Admin Issues Subject: Re: False-positives on Vipre this morning All our dellephants are working fine this morning. HOWEVER, 16 of these workstations were built with a DVD our help desk person made (slipstreamed w/SP3 and MS patches to date). It seems some OEM drivers, most of which are in the .\i386 folder, are being flagged. To date, we've had two NVidia and one Creative Labs driver set off alarms. (For some reason, VIPRE sends me two notices for each alarm. It's just So Much Fun to wake up and see 32 VIPRE events! -- Richard D. McClary Systems Administrator, Information Technology Group ASPCA(r) 1717 S. Philo Rd, Ste 36 Urbana, IL 61802 richardmccl...@aspca.org P: 217-337-9761 C: 217-417-1182 F: 217-337-9761 www.aspca.orghttp://www.aspca.org/ The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals(r) (ASPCA(r)) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. John Aldrich jaldr...@blueridgecarpet.com wrote on 03/25/2010 07:33:49 AM: Still on the old version of Vipre Enterprise (waiting for more bugs to be squished. J) This morning I got a warning about some stuff on HP computers. I'm pretty sure it's going to be a false positive, but I thought I'd ask if anyone else is having problems with stuff under c:\hp\recovery\wizard\fscommand [image removed] [image removed] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~inline: image001.jpginline: image002.jpg
RE: False-positives on Vipre this morning
Thanks, Alex. It would be nice to know if they are true F/Ps or are actual threats. John-AldrichTile-Tools From: Alex Eckelberry [mailto:al...@sunbelt-software.com] Sent: Thursday, March 25, 2010 12:33 PM To: NT System Admin Issues Subject: RE: False-positives on Vipre this morning Those reports that you submit from the console do get read and acted upon. I will check into this report. Alex From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Thursday, March 25, 2010 9:17 AM To: NT System Admin Issues Subject: RE: False-positives on Vipre this morning Interesting. I posted on the Sunbelt forum as well, so maybe I'll hear something back. I don't recall ever hearing anything back from Sunbelt if I just submit the suspected false-positives to Sunbelt from the console. John-AldrichTile-Tools From: richardmccl...@aspca.org [mailto:richardmccl...@aspca.org] Sent: Thursday, March 25, 2010 9:10 AM To: NT System Admin Issues Subject: Re: False-positives on Vipre this morning All our dellephants are working fine this morning. HOWEVER, 16 of these workstations were built with a DVD our help desk person made (slipstreamed w/SP3 and MS patches to date). It seems some OEM drivers, most of which are in the .\i386 folder, are being flagged. To date, we've had two NVidia and one Creative Labs driver set off alarms. (For some reason, VIPRE sends me two notices for each alarm. It's just So Much Fun to wake up and see 32 VIPRE events! -- Richard D. McClary Systems Administrator, Information Technology Group ASPCAR 1717 S. Philo Rd, Ste 36 Urbana, IL 61802 richardmccl...@aspca.org P: 217-337-9761 C: 217-417-1182 F: 217-337-9761 http://www.aspca.org/ www.aspca.org The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to AnimalsR (ASPCAR) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. John Aldrich jaldr...@blueridgecarpet.com wrote on 03/25/2010 07:33:49 AM: Still on the old version of Vipre Enterprise (waiting for more bugs to be squished. J) This morning I got a warning about some stuff on HP computers. I'm pretty sure it's going to be a false positive, but I thought I'd ask if anyone else is having problems with stuff under c:\hp\recovery\wizard\fscommand.. [image removed] [image removed] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~image001.jpgimage002.jpg
Re: False-positives on Vipre this morning
+1 On Thu, Mar 25, 2010 at 11:35 AM, John Aldrich jaldr...@blueridgecarpet.com wrote: Thanks, Alex. It would be nice to know if they are true F/Ps or are actual threats. [image: John-Aldrich][image: Tile-Tools] *From:* Alex Eckelberry [mailto:al...@sunbelt-software.com] *Sent:* Thursday, March 25, 2010 12:33 PM *To:* NT System Admin Issues *Subject:* RE: False-positives on Vipre this morning Those reports that you submit from the console do get read and acted upon. I will check into this report. Alex *From:* John Aldrich [mailto:jaldr...@blueridgecarpet.com] *Sent:* Thursday, March 25, 2010 9:17 AM *To:* NT System Admin Issues *Subject:* RE: False-positives on Vipre this morning Interesting. I posted on the Sunbelt forum as well, so maybe I’ll hear something back. I don’t recall ever hearing anything back from Sunbelt if I just submit the suspected false-positives to Sunbelt from the console. [image: John-Aldrich][image: Tile-Tools] *From:* richardmccl...@aspca.org [mailto:richardmccl...@aspca.org] *Sent:* Thursday, March 25, 2010 9:10 AM *To:* NT System Admin Issues *Subject:* Re: False-positives on Vipre this morning All our dellephants are working fine this morning. HOWEVER, 16 of these workstations were built with a DVD our help desk person made (slipstreamed w/SP3 and MS patches to date). It seems some OEM drivers, most of which are in the .\i386 folder, are being flagged. To date, we've had two NVidia and one Creative Labs driver set off alarms. (For some reason, VIPRE sends me two notices for each alarm. It's just So Much Fun to wake up and see 32 VIPRE events! -- Richard D. McClary Systems Administrator, Information Technology Group *ASPCA®* 1717 S. Philo Rd, Ste 36 Urbana, IL 61802 richardmccl...@aspca.org P: 217-337-9761 C: 217-417-1182 F: 217-337-9761 www.aspca.org The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals® (ASPCA ®) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. John Aldrich jaldr...@blueridgecarpet.com wrote on 03/25/2010 07:33:49 AM: Still on the old version of Vipre Enterprise (waiting for more bugs to be squished. J) This morning I got a warning about some stuff on HP computers. I’m pretty sure it’s going to be a false positive, but I thought I’d ask if anyone else is having problems with stuff under c:\hp\recovery\wizard\fscommand…. [image removed] [image removed] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~image002.jpgimage001.jpg
RE: False-positives on Vipre this morning
Noted. From: Eric Wittersheim [mailto:eric.wittersh...@gmail.com] Sent: Thursday, March 25, 2010 12:38 PM To: NT System Admin Issues Subject: Re: False-positives on Vipre this morning +1 On Thu, Mar 25, 2010 at 11:35 AM, John Aldrich jaldr...@blueridgecarpet.commailto:jaldr...@blueridgecarpet.com wrote: Thanks, Alex. It would be nice to know if they are true F/Ps or are actual threats. [cid:image001.jpg@01CACC19.F45154E0][cid:image002@01cacc19.f45154e0] From: Alex Eckelberry [mailto:al...@sunbelt-software.commailto:al...@sunbelt-software.com] Sent: Thursday, March 25, 2010 12:33 PM To: NT System Admin Issues Subject: RE: False-positives on Vipre this morning Those reports that you submit from the console do get read and acted upon. I will check into this report. Alex From: John Aldrich [mailto:jaldr...@blueridgecarpet.commailto:jaldr...@blueridgecarpet.com] Sent: Thursday, March 25, 2010 9:17 AM To: NT System Admin Issues Subject: RE: False-positives on Vipre this morning Interesting. I posted on the Sunbelt forum as well, so maybe I'll hear something back. I don't recall ever hearing anything back from Sunbelt if I just submit the suspected false-positives to Sunbelt from the console. [cid:image001.jpg@01CACC19.F45154E0][cid:image002@01cacc19.f45154e0] From: richardmccl...@aspca.orgmailto:richardmccl...@aspca.org [mailto:richardmccl...@aspca.orgmailto:richardmccl...@aspca.org] Sent: Thursday, March 25, 2010 9:10 AM To: NT System Admin Issues Subject: Re: False-positives on Vipre this morning All our dellephants are working fine this morning. HOWEVER, 16 of these workstations were built with a DVD our help desk person made (slipstreamed w/SP3 and MS patches to date). It seems some OEM drivers, most of which are in the .\i386 folder, are being flagged. To date, we've had two NVidia and one Creative Labs driver set off alarms. (For some reason, VIPRE sends me two notices for each alarm. It's just So Much Fun to wake up and see 32 VIPRE events! -- Richard D. McClary Systems Administrator, Information Technology Group ASPCA(r) 1717 S. Philo Rd, Ste 36 Urbana, IL 61802 richardmccl...@aspca.orgmailto:richardmccl...@aspca.org P: 217-337-9761 C: 217-417-1182 F: 217-337-9761 www.aspca.orghttp://www.aspca.org/ The information contained in this e-mail, and any attachments hereto, is from The American Society for the Prevention of Cruelty to Animals(r) (ASPCA(r)) and is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution, copying or use of the contents of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by reply email and permanently delete the original and any copy of this e-mail and any printout thereof. John Aldrich jaldr...@blueridgecarpet.commailto:jaldr...@blueridgecarpet.com wrote on 03/25/2010 07:33:49 AM: Still on the old version of Vipre Enterprise (waiting for more bugs to be squished. J) This morning I got a warning about some stuff on HP computers. I'm pretty sure it's going to be a false positive, but I thought I'd ask if anyone else is having problems with stuff under c:\hp\recovery\wizard\fscommand [image removed] [image removed] ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~inline: image001.jpginline: image002.jpg
Re: False-positives on Vipre this morning
On 25 Mar 2010 at 8:33, John Aldrich wrote: Still on the old version of Vipre Enterprise (waiting for more bugs to be squished. J) This morning I got a warning about some stuff on HP computers. I´m pretty sure it´s going to be a false positive, but I thought I´d ask if anyone else is having problems with stuff under c:\hp\recovery\wizard\fscommand John-AldrichTile-Tools I saw 4 or 5 machines on a 40 machine network with new warnings in the console when I checked remotely this morning. I quickly previewed them; ISTR three machines had identical new detections in their Recycle Bins; the file was called something like Mx??Eng.exe. ISTR one, an HP, had a bunch of hits in its Recovery Partition. I haven't had a chance to get to the office yet to submit them to VirusTotal and then to falsepositi...@sunbeltsoftware.com ... Angus -- Angus Scott-Fleming GeoApps, Tucson, Arizona 1-520-290-5038 Security Blog: http://geoapps.com/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: False-positives on Vipre this morning
That one file you saw in the recycle bin sounds very similar in name to the Microsoft Antimalware process of MsMpEng.exe used in OneCare and now used in Security Essentials. (Also may be used with Windows Defender??) Just an interesting, though probably unrelated similarity in file naming. Matt On Thu, Mar 25, 2010 at 2:20 PM, Angus Scott-Fleming angu...@geoapps.com wrote: I saw 4 or 5 machines on a 40 machine network with new warnings in the console when I checked remotely this morning. I quickly previewed them; ISTR three machines had identical new detections in their Recycle Bins; the file was called something like Mx??Eng.exe. ISTR one, an HP, had a bunch of hits in its Recovery Partition. I haven't had a chance to get to the office yet to submit them to VirusTotal and then to falsepositi...@sunbeltsoftware.com ... Angus -- Angus Scott-Fleming GeoApps, Tucson, Arizona 1-520-290-5038 Security Blog: http://geoapps.com/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: False-positives on Vipre this morning
On 25 Mar 2010 at 22:57, Burian, Matthew J. (mjb) wrote: That one file you saw in the recycle bin sounds very similar in name to the Microsoft Antimalware process of MsMpEng.exe used in OneCare and now used in Security Essentials. (Also may be used with Windows Defender??) Just an interesting, though probably unrelated similarity in file naming. Probably an intentional mis-naming by the malware. Actually it turned out to be a true nasty trojan, not an FP (although I had those today also*). Info pages here: W32/IRCbot.gen.aj http://vil.nai.com/vil/content/v_252087.htm W32/Rimecud http://vil.nai.com/vil/content/v_237984.htm My infections had the filename of the first of those but the exact file- location and registry-keys of the second. VIPRE identified them as Worm.Win32.Rimecud [where DO they get these names???] and the VIPRE info page (doesn't say anything useful, unfortunately) is here: http://www.sunbeltsecurity.com/ThreatDisplay.aspx?name=Worm.Win32.Rimecudtid=4268277cs=50289929C7DB40A0D03710195D3B1B1C or here if the above wraps unusably: http://preview.tinyurl.com/ydtnjw6 I had three machines where the VIPRE Deep Scan found this. I need to make sure I get Deep Scans on the rest of the network RSN as this spreads via network shares among other methods. Angus * FPs on half a dozen files in hidden directory C:\hp\recovery\wizard\fsadmin\ on one XP Home machine that still sits on my network. Submitted them to Sunbelt after dealing with Rimecud. No answer yet, but it was after 9 PM Florida time when I submitted them. -- Angus Scott-Fleming GeoApps, Tucson, Arizona 1-520-290-5038 Security Blog: http://geoapps.com/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
