Re: Vipre false positives?
Here are a couple of other UI enhancements that would make managing VIPRE scan detections easier, both in the home-user version (which I use on my personal machines and which some of my clients's employees use) and in the VSE Console (which I use for clients). 1. When your in the Detections panel, have the ability to copy the path to the detected item to the Windows clipboard. I'd use this to submit the detections to VirusTotal to see if it's really a detection or probably an FP. In fact, incorporating VT's Submit tool directly into the VSE Console would be a Very Good Thing, and making it easy to add to the home-user's console would also be a VGT. As it is now, I have to browse to the infection's folder and then submit it manually. Ideally this would allow highlighting a range of detections and submitting them all at once [grin]. 2. The size of the Risk Details pane and the column widths should be sticky. When I'm working on a wide-screen monitor, I like to widen the Risk Details pane and also widen the Information column so I can see the entire path. But when I close the RD pane, those settings are not preserved and I have to widen or maximize the window again each time. 3. The right-click drop-down menu on the Set Recommended Action should have a Flag for Rescan option (see earlier message on this idea). The console should toggle this flag off when it's rescanned but keep a count of the rescans, since sometimes it can be a day or two before the FP detection logic is updated enough to quit finding the FP. 4. There should be an Admin-level config area where admins can Always Allow all the Nirsoft tools in one click, all the SysInternals (PS)tools in one click, and so on for common administrator tool sets. BTW, I'm curious what the AA logic is. Is it \\path\to\filename-only, filename-only (any file with this name) or do you keep MD5 sums of Always Allowed items so you can detect that the file has changed even though the filename remains unchanged? ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Vipre false positives?
This is actually a really good idea. From: Angus Scott-Fleming [mailto:an...@geoapps.com] Sent: Thursday, July 29, 2010 9:43 PM To: NT System Admin Issues Cc: Alex Eckelberry Subject: Re: Vipre false positives? On 26 Jul 2010 at 9:08, Jeff Cain wrote: These should have been addressed in def version 6636. If not please let us know right away. IMHO VIPRE needs a Rescan Quarantined Files option -- an auto-recover from FP feature. The Rescan should allow us to select, from the console, an agent or set of agents, and allow us to tell each agent to rescan its quarantined items using the current set of defs, which presumably has corrected the FP. There should be an option to unquarantine -- to restore -- anything that scans clean, with an option to email the report to the administrator either way. There should be an option to time-limit the items being rescanned so we only scan a given date range, this would allow us to limit the scanning to the last day or week of quarantined items. We should be able to schedule the rescan, too, so the scan happens when it won't interfere with work. This would allow us to recover easily from an episode of False Positives that erroneously quarantines files on multiple systems (as long as those systems are still bootable and the VSE Agent is running there). It is tolerable if you have a few machines with FPs. I can't imagine cleaning up an FP episode on hundreds of machines. We all understand that all AV products either suffer from FPs or infections that get by. I'd rather have the FPs, but having a Rescan Quarantine would really set VIPRE apart from other AV products. I don't know of any other product which offers this. Discussion welcome. Angus ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Vipre false positives?
Agreed. I just got done submitting (several days late) to virustotal.com a set of .LNK files that were marked on our file server. By the time I had submitted them, nobody thought that they were dangerous (except esafe, which is really weird.) They were marked as report only, so it was no big deal, but if I'd had to rescue them, it would have been more interesting. Kurt On Fri, Jul 30, 2010 at 15:52, Alex Eckelberry al...@sunbelt-software.com wrote: This is actually a really good idea. From: Angus Scott-Fleming [mailto:an...@geoapps.com] Sent: Thursday, July 29, 2010 9:43 PM To: NT System Admin Issues Cc: Alex Eckelberry Subject: Re: Vipre false positives? On 26 Jul 2010 at 9:08, Jeff Cain wrote: These should have been addressed in def version 6636. If not please let us know right away. IMHO VIPRE needs a Rescan Quarantined Files option -- an auto-recover from FP feature. The Rescan should allow us to select, from the console, an agent or set of agents, and allow us to tell each agent to rescan its quarantined items using the current set of defs, which presumably has corrected the FP. There should be an option to unquarantine -- to restore -- anything that scans clean, with an option to email the report to the administrator either way. There should be an option to time-limit the items being rescanned so we only scan a given date range, this would allow us to limit the scanning to the last day or week of quarantined items. We should be able to schedule the rescan, too, so the scan happens when it won't interfere with work. This would allow us to recover easily from an episode of False Positives that erroneously quarantines files on multiple systems (as long as those systems are still bootable and the VSE Agent is running there). It is tolerable if you have a few machines with FPs. I can't imagine cleaning up an FP episode on hundreds of machines. We all understand that all AV products either suffer from FPs or infections that get by. I'd rather have the FPs, but having a Rescan Quarantine would really set VIPRE apart from other AV products. I don't know of any other product which offers this. Discussion welcome. Angus ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Vipre false positives?
You are not alone... On Mon, Jul 26, 2010 at 8:40 AM, Tom Miller tmil...@hnncsb.org wrote: Anyone having issue with Vipre false positives on their Windows 2008 servers? Last weekend, Friday night's scan reported a virus on each of my 2008 servers. The Sunbelt team investigated and it was a false positive. Same thing this weekend, and again a false positive. I have a third I'm working on with support now that looks like another false positive. I am wondering if this is Vipre or possibly my policy configuration for my servers? I run deep scan several times a week on those systems in any case. The first thing I do not want to see in my Inbox on Saturday and Sunday morning is pages of Vipre notifications. I have not seen false positives on our XP/Win 7 machines or 2003 Servers. This is getting really old. Nothing special about these servers. Some are DCs, others member servers, others just for apps or storage. Most don't have anything other than the Windows 2008 NOS installed. Tom Miller Engineer, Information Technology Hampton-Newport News Community Services Board 757-788-0528 Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
Re: Vipre false positives?
Same here On Mon, Jul 26, 2010 at 7:43 AM, Richard Stovall rich...@gmail.com wrote: You are not alone... On Mon, Jul 26, 2010 at 8:40 AM, Tom Miller tmil...@hnncsb.org wrote: Anyone having issue with Vipre false positives on their Windows 2008 servers? Last weekend, Friday night's scan reported a virus on each of my 2008 servers. The Sunbelt team investigated and it was a false positive. Same thing this weekend, and again a false positive. I have a third I'm working on with support now that looks like another false positive. I am wondering if this is Vipre or possibly my policy configuration for my servers? I run deep scan several times a week on those systems in any case. The first thing I do not want to see in my Inbox on Saturday and Sunday morning is pages of Vipre notifications. I have not seen false positives on our XP/Win 7 machines or 2003 Servers. This is getting really old. Nothing special about these servers. Some are DCs, others member servers, others just for apps or storage. Most don't have anything other than the Windows 2008 NOS installed. Tom Miller Engineer, Information Technology Hampton-Newport News Community Services Board 757-788-0528 Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Vipre false positives?
These should have been addressed in def version 6636. If not please let us know right away. Thanks, Jeff Cain - supp...@sunbeltsoftware.commailto:supp...@sunbeltsoftware.com Technical Support Analyst Sunbelt Software, part of the GFI Software family www.sunbeltsoftware.comhttp://www.sunbeltsoftware.com/ Tel: 1-877-757-4094 Fax: +1 727-562-3402 From: Eric Wittersheim [mailto:eric.wittersh...@gmail.com] Sent: Monday, July 26, 2010 9:01 AM To: NT System Admin Issues Subject: Re: Vipre false positives? Same here On Mon, Jul 26, 2010 at 7:43 AM, Richard Stovall rich...@gmail.commailto:rich...@gmail.com wrote: You are not alone... On Mon, Jul 26, 2010 at 8:40 AM, Tom Miller tmil...@hnncsb.orgmailto:tmil...@hnncsb.org wrote: Anyone having issue with Vipre false positives on their Windows 2008 servers? Last weekend, Friday night's scan reported a virus on each of my 2008 servers. The Sunbelt team investigated and it was a false positive. Same thing this weekend, and again a false positive. I have a third I'm working on with support now that looks like another false positive. I am wondering if this is Vipre or possibly my policy configuration for my servers? I run deep scan several times a week on those systems in any case. The first thing I do not want to see in my Inbox on Saturday and Sunday morning is pages of Vipre notifications. I have not seen false positives on our XP/Win 7 machines or 2003 Servers. This is getting really old. Nothing special about these servers. Some are DCs, others member servers, others just for apps or storage. Most don't have anything other than the Windows 2008 NOS installed. Tom Miller Engineer, Information Technology Hampton-Newport News Community Services Board 757-788-0528 Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Vipre false positives?
Working on the second on this weekend now Jeff. Here are sample details: Machine: RVSDWIN (10.40.1.9) User: Scan Date:7/26/2010 6:28 AM Software Version: 4.0.3275 ThreatDB Version: 6640 Policy: Servers - Threat: Trojan.Win32.Generic!BT Category: Trojan Severity: High Risk Action: UnKnown Traces Found: File: C:\Windows\System32\Oobe.exe - Threat: Trojan.Win32.Generic!BT Category: Trojan Severity: High Risk Action: UnKnown Traces Found: File: C:\Windows\System32\ProvisionStorage.exe Jeff Cain je...@sunbelt-software.com 7/26/2010 9:08 AM These should have been addressed in def version 6636. If not please let us know right away. Thanks, Jeff Cain – supp...@sunbeltsoftware.com Technical Support Analyst Sunbelt Software, part of the GFI Software family www.sunbeltsoftware.com Tel: 1-877-757-4094 Fax: +1 727-562-3402 From:Eric Wittersheim [mailto:eric.wittersh...@gmail.com] Sent: Monday, July 26, 2010 9:01 AM To: NT System Admin Issues Subject: Re: Vipre false positives? Same here On Mon, Jul 26, 2010 at 7:43 AM, Richard Stovall rich...@gmail.com wrote: You are not alone... On Mon, Jul 26, 2010 at 8:40 AM, Tom Miller tmil...@hnncsb.org wrote: Anyone having issue with Vipre false positives on their Windows 2008 servers? Last weekend, Friday night's scan reported a virus on each of my 2008 servers. The Sunbelt team investigated and it was a false positive. Same thing this weekend, and again a false positive. I have a third I'm working on with support now that looks like another false positive. I am wondering if this is Vipre or possibly my policy configuration for my servers? I run deep scan several times a week on those systems in any case. The first thing I do not want to see in my Inbox on Saturday and Sunday morning is pages of Vipre notifications. I have not seen false positives on our XP/Win 7 machines or 2003 Servers. This is getting really old. Nothing special about these servers. Some are DCs, others member servers, others just for apps or storage. Most don't have anything other than the Windows 2008 NOS installed. Tom Miller Engineer, Information Technology Hampton-Newport News Community Services Board 757-788-0528 Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Vipre false positives?
I got notifications for .lnk files that are harmless. L I'm not particularly worried about it, but I think Vipre is a little *too* cautious on .lnk files. John-AldrichTile-Tools From: Eric Wittersheim [mailto:eric.wittersh...@gmail.com] Sent: Monday, July 26, 2010 9:01 AM To: NT System Admin Issues Subject: Re: Vipre false positives? Same here On Mon, Jul 26, 2010 at 7:43 AM, Richard Stovall rich...@gmail.com wrote: You are not alone... On Mon, Jul 26, 2010 at 8:40 AM, Tom Miller tmil...@hnncsb.org wrote: Anyone having issue with Vipre false positives on their Windows 2008 servers? Last weekend, Friday night's scan reported a virus on each of my 2008 servers. The Sunbelt team investigated and it was a false positive. Same thing this weekend, and again a false positive. I have a third I'm working on with support now that looks like another false positive. I am wondering if this is Vipre or possibly my policy configuration for my servers? I run deep scan several times a week on those systems in any case. The first thing I do not want to see in my Inbox on Saturday and Sunday morning is pages of Vipre notifications. I have not seen false positives on our XP/Win 7 machines or 2003 Servers. This is getting really old. Nothing special about these servers. Some are DCs, others member servers, others just for apps or storage. Most don't have anything other than the Windows 2008 NOS installed. Tom Miller Engineer, Information Technology Hampton-Newport News Community Services Board 757-788-0528 Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~image001.jpgimage002.jpg
RE: Vipre false positives?
Everyone, AV Lab is aware of the FPs and they should be resolved late this morning. Thanks, Jeff Cain – supp...@sunbeltsoftware.commailto:supp...@sunbeltsoftware.com Technical Support Analyst Sunbelt Software, part of the GFI Software family www.sunbeltsoftware.comhttp://www.sunbeltsoftware.com/ Tel: 1-877-757-4094 Fax: +1 727-562-3402 From: Tom Miller [mailto:tmil...@hnncsb.org] Sent: Monday, July 26, 2010 9:11 AM To: NT System Admin Issues Subject: RE: Vipre false positives? Working on the second on this weekend now Jeff. Here are sample details: Machine: RVSDWIN (10.40.1.9) User: Scan Date:7/26/2010 6:28 AM Software Version: 4.0.3275 ThreatDB Version: 6640 Policy: Servers - Threat: Trojan.Win32.Generic!BT Category: Trojan Severity: High Risk Action: UnKnown Traces Found: File: C:\Windows\System32\Oobe.exe - Threat: Trojan.Win32.Generic!BT Category: Trojan Severity: High Risk Action: UnKnown Traces Found: File: C:\Windows\System32\ProvisionStorage.exe Jeff Cain je...@sunbelt-software.commailto:je...@sunbelt-software.com 7/26/2010 9:08 AM These should have been addressed in def version 6636. If not please let us know right away. Thanks, Jeff Cain – supp...@sunbeltsoftware.commailto:supp...@sunbeltsoftware.com Technical Support Analyst Sunbelt Software, part of the GFI Software family www.sunbeltsoftware.comhttp://www.sunbeltsoftware.com/ Tel: 1-877-757-4094 Fax: +1 727-562-3402 From: Eric Wittersheim [mailto:eric.wittersh...@gmail.com] Sent: Monday, July 26, 2010 9:01 AM To: NT System Admin Issues Subject: Re: Vipre false positives? Same here On Mon, Jul 26, 2010 at 7:43 AM, Richard Stovall rich...@gmail.commailto:rich...@gmail.com wrote: You are not alone... On Mon, Jul 26, 2010 at 8:40 AM, Tom Miller tmil...@hnncsb.orgmailto:tmil...@hnncsb.org wrote: Anyone having issue with Vipre false positives on their Windows 2008 servers? Last weekend, Friday night's scan reported a virus on each of my 2008 servers. The Sunbelt team investigated and it was a false positive. Same thing this weekend, and again a false positive. I have a third I'm working on with support now that looks like another false positive. I am wondering if this is Vipre or possibly my policy configuration for my servers? I run deep scan several times a week on those systems in any case. The first thing I do not want to see in my Inbox on Saturday and Sunday morning is pages of Vipre notifications. I have not seen false positives on our XP/Win 7 machines or 2003 Servers. This is getting really old. Nothing special about these servers. Some are DCs, others member servers, others just for apps or storage. Most don't have anything other than the Windows 2008 NOS installed. Tom Miller Engineer, Information Technology Hampton-Newport News Community Services Board 757-788-0528 Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~
RE: Vipre false positives?
Fwiw, there is a very serious zero day .lnk exploit going around. http://www.computerworld.com/s/article/9179339/Windows_shortcut_attack_code_goes_public Apparently our heuristics were a little too aggressive... Alex From: John Aldrich [mailto:jaldr...@blueridgecarpet.com] Sent: Monday, July 26, 2010 10:09 AM To: NT System Admin Issues Subject: RE: Vipre false positives? I got notifications for .lnk files that are harmless. :( I'm not particularly worried about it, but I think Vipre is a little *too* cautious on .lnk files. [cid:343474514@26072010-07C0][cid:343474...@26072010-07c7] From: Eric Wittersheim [mailto:eric.wittersh...@gmail.com] Sent: Monday, July 26, 2010 9:01 AM To: NT System Admin Issues Subject: Re: Vipre false positives? Same here On Mon, Jul 26, 2010 at 7:43 AM, Richard Stovall rich...@gmail.commailto:rich...@gmail.com wrote: You are not alone... On Mon, Jul 26, 2010 at 8:40 AM, Tom Miller tmil...@hnncsb.orgmailto:tmil...@hnncsb.org wrote: Anyone having issue with Vipre false positives on their Windows 2008 servers? Last weekend, Friday night's scan reported a virus on each of my 2008 servers. The Sunbelt team investigated and it was a false positive. Same thing this weekend, and again a false positive. I have a third I'm working on with support now that looks like another false positive. I am wondering if this is Vipre or possibly my policy configuration for my servers? I run deep scan several times a week on those systems in any case. The first thing I do not want to see in my Inbox on Saturday and Sunday morning is pages of Vipre notifications. I have not seen false positives on our XP/Win 7 machines or 2003 Servers. This is getting really old. Nothing special about these servers. Some are DCs, others member servers, others just for apps or storage. Most don't have anything other than the Windows 2008 NOS installed. Tom Miller Engineer, Information Technology Hampton-Newport News Community Services Board 757-788-0528 Confidentiality Notice: This e-mail message, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~inline: image001.jpginline: image002.jpg
Re: Vipre false positives?
On 26 Jul 2010 at 10:09, John Aldrich wrote: I got notifications for .lnk files that are harmless. L I´m not particularly worried about it, but I think Vipre is a little *too* cautious on .lnk files. Agree. I'll bet none of these is a real exploit. = Included Stuff Follows = Machine: (192.168.1.48) Scan Date:7/25/2010 12:56 AM Software Version: 4.0.3275 ThreatDB Version: 6634 Policy: Default-Office - Threat: Exploit.LNK.CVE-2010-2568 (v) Category: Exploit Severity: Severe Risk Action: Quarantined Traces Found: File: C:\Documents and Settings\Administrator\Desktop\NVIDIA nView Desktop Manager.lnk File: C:\Documents and Settings\Administrator\Desktop\Shortcut to Add or Remove Programs.lnk File: C:\Documents and Settings\Administrator\Desktop\System.lnk = Machine: (192.168.1.52) Scan Date:7/25/2010 12:00 AM Software Version: 4.0.3275 ThreatDB Version: 6634 Policy: Default-Office - Threat: Exploit.LNK.CVE-2010-2568 (v) Category: Exploit Severity: Severe Risk Action: Quarantined Traces Found: File: C:\projects\bin\Mouse.lnk - = Machine: xx (192.168.1.18) Scan Date:7/24/2010 11:56 PM Software Version: 4.0.3275 ThreatDB Version: 6634 Policy: Default-Office - Threat: Exploit.LNK.CVE-2010-2568 (v) Category: Exploit Severity: Severe Risk Action: Quarantined Traces Found: File: C:\backups\95\c\RECYCLED\DC26.LNK File: C:\backups\95\c\RECYCLED\DC29.LNK - = Included Stuff Ends = -- Angus Scott-Fleming GeoApps, Tucson, Arizona 1-520-290-5038 Security Blog: http://geoapps.com/ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~