PDA

View Full Version : Wired Problem with XMON

Adramalech
April 17th, 2005, 09:02 AM
Hi

XMON has detected a Virus called Win32/TrojanDownloader.Small.ZL

Time Module Object Name Virus Action User Info

4/16/2005 17:56:38 PM XMON email message from: sender to: Recipient with subject dated 04/16/2005 17:56 Attachment: Fairy_tale_4534.zip Win32/TrojanDownloader.Small.ZL trojan deleted




The more detailed log of XMON was saying:
1. Action: Deleted
2. Action: Error while cleaning – operation unavailable for this type of object – error while deleting - operation unavailable for this type of object – was part of the deleted object

So far so good, but every once in a while, AMON (probably after a signature update or something) is detecting a file with the same Virus, and it’s always in the %systemroot%\temp Folder with a NOD prefix.


4/17/2005 13:38:27 PM AMON file C:\WINDOWS\TEMP\NODA234.tmp Win32/TrojanDownloader.Small.ZL trojan NT AUTHORITY\SYSTEM
4/17/2005 7:01:11 AM AMON file C:\WINDOWS\TEMP\NODF1D0.tmp Win32/TrojanDownloader.Small.ZL trojan NT AUTHORITY\SYSTEM
4/17/2005 0:00:38 AM AMON file C:\WINDOWS\TEMP\NOD996B.tmp Win32/TrojanDownloader.Small.ZL trojan NT AUTHORITY\SYSTEM
4/16/2005 21:19:17 PM AMON file C:\WINDOWS\TEMP\NOD84.tmp Win32/TrojanDownloader.Small.ZL trojan NT AUTHORITY\SYSTEM


So it seems that NOD didn’t get rid of the Virus completely. What can I do? I also ran a manual scan and a deep scan but nothing.

Thanks
Adra
Marcos
April 17th, 2005, 09:20 AM
With MS Exchange, it's crucial to exclude the TMP and EDB extensions from scanning, if AMON is set to scan all files.
Adramalech
April 17th, 2005, 09:39 AM
Hi Marcos

The Exchange directories have allready been excluded along with some other files like MAPI32.dll.

I also made a exclusion for files that loke like this:
*.edb
*.stm
*.log


..but i'm not quite sure if the works for NOD32.

So basically the solution would be to exclude also *.tmp files and don't worry about the rest?

cheers
Adra

P.S.: Is it normal that NOD geneartes so much .tmp files in this directory? The size of that directory was up to 2GB since yesterday.
Adramalech
April 17th, 2005, 09:53 AM
BTW: AMON was set to scan all files without exclusions. I didn't notice that the function changes to "exclude" files when "scan all files" is set. So I have to exclude those files there and TMP as well, right?
Adramalech
April 18th, 2005, 06:47 AM
@marcos

Just wanted to say thanks. I had some confusions with the AMON tabs "detection" and "exlusions" since this was all done in the same tab for the previous Exchange scanner. ::) :)

But after setting the proper file extension exclusions under "detection" and excluding the exchange directories like recommended from Microsoft, even the NOD temp files won't appear again.


Well, keep the good work going. The previous Scanner missed 7 viruses in the database (including a polymorph macro virus, but it's most probably some handwritten excel macro of some of our "more advanced" users :P => no prob. ).


Adra