Threat Alert triggered on computer but nothing is there

[dsb3]

Has anyone seen a threat alert but nothing is listed in the details of the log regarding the threat. The only thing i see is the threat column which says "is ok" and the information column which says "event occurred during an attempt to access the file". That is the only information that was reported. There was another machine that reported a threat but in the log it only shows what is listed below:

Information
Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.

Any help is greatly appreciated.

[toxinon12345]

Are you using ESS or EAV? Maybe is a Firewall alert

[rcash]

It is happening to a couple of my computers. Right after they updated to 5746.

- Real-time file system protection
- Event occurred during an attempt to access the file.

Just using EAV so no firewall.

It also is occurring on one of my servers and when it does it locks the server and I have to power it off/on to get it back up. Server was running just fine on 5745 and if I remove EAV server runs just fine as well.

[Marcos]

Quote:

Originally Posted by dsb3

Information
Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.

Please copy & paste here the entire line from the Threat log, not just the Information column.

[rcash]

For me that is the entire line in the thread log. The only thing that is populated is the Information column.

Entire line of the threat log for the XP SP3 computer having the issue:
Name Threat Action Information
Event occurred during an attempt to access the file.


Entire line of the thread log for the 2003 server that locks up:
Name Threat Action Information
Event occurred on a new file created by the application: C:\Program Files\Omtool\OmtoolServer\Bin\OmWfcGFArchiveU.exe.

[dsb3]

This is happening on two computers so far.

Computer #1
XP sp2

EAV 4.2.67.10 Virus Sig 5747

Listed below is the entire line that is in the log.

Name Threat Action Information
Event occurred during an attempt to access the file.


Computer #2
XP sp2

EAV 4.0.474 Virus Sig 5747

Listed below is the entire line that is in the log.

Name Threat Action Information
Event occurred on a file modified by the application: C:\Program Files\Internet Explorer\iexplore.exe.

[knockknock]

Good morning,

I just experienced the same thing in our corporate environment, with a computer running Windows XP SP3.

Same circumstances, it is currently on signature 5750 after doing an update from 5747.

[knockknock]

Oh and were running ESET 3.0.695

[rcash]

I'm continuing to get a lot of these throughout our enterprise. What's going on?

Here are just a few examples all on different computers running XP SP3

Module On-demand scanner - Threat Alert triggered on computer xxxxxxx: C:\WINDOWS\$hf_mig$\KB2079403\update\eula.txt contains.

Module On-demand scanner - Threat Alert triggered on computer xxxxxxxx: Operating memory contains is OK.

Module On-demand scanner - Threat Alert triggered on computer xxxxxxx: C:\WINDOWS\$hf_mig$\KB2443105\update\update.exe contains.

Threat Alert triggered on computer xxxxxxxx: C:\WINDOWS\$hf_mig$\KB887472\update\update.ver contains.

Threat Alert triggered on computer xxxxxxx C:\orant\ora9i\network\tools\images\Connect.gif contains.

[dsb3]

I am still having issues with this on more computers now.
Listed below are some more examples:

Computer #3
XP SP3
EAV 4.0.437 vir sig 5754
Name Threat Action Information
Event occurred during an attempt to access the file.


Computer #4
XP SP2
EAV 3.0.672 vir sig 5757
Name Threat Action Information
Event occurred on a new file created by the application: C:\Program Files\WordPerfect Office X3\Programs\wpwin13.exe.

Computer #5
XP SP3
EAV 3.0.672 vir sig 5757
Name Threat Action Information
Event occurred on a file modified by the application: C:\WINDOWS\System32\DLA\DLACTRLW.EXE.

[SmackyTheFrog]

I've had a few systems do this sporadically since last week:

Quote:

Column Name Value
Threat Id Threat 11409
Client Name System1
Computer Name System1
MAC Address
Primary Server
Date Received 2011-01-04 10:05:53
Date Occurred 2011-01-04 10:05:47
Level Normal
Scanner Real-time file system protection
Object file
Name
Threat
Action
User User1
Information Event occurred during an attempt to run the file:
Details Ready

Name Threat Action Information
Event occurred during an attempt to run the file:

Column Name Value
Client Name System1
Computer Name System1
MAC Address
Primary Server
Domain
IP
Product Name ESET NOD32 Antivirus BUSINESS EDITION
Product Version 3.0.695
Policy Name Workstations
Last Connected 2011-01-04 10:56:41
Protection Status Text
Virus Signature DB 5758 (20110104)
Last Threat Alert
Last Firewall Alert
Last Event Warning
Last Files Scanned 785974
Last Files Infected 0
Last Files Cleaned 0
Last Scan Date 2010-12-09 12:03:52
Restart Request
Restart Request Date
Product Last Started 2011-01-04 10:11:52
Product Install Date 2009-03-19 17:16:43
Roaming User
New Client
OS Name Microsoft Windows XP 5.1.2600 Service Pack 3
OS Platform Microsoft Windows
HW Platform 32-bit
Configuration Ready (2 minutes ago)
Protection Status Ready (43 minutes ago)
Protection Features Ready (2 months ago)
System Information Ready (2 hours ago)
SysInspector No Data
Custom Info
Comment

Quote:

Column Name Value
Threat Id Threat 11417
Client Name System2
Computer Name System2
MAC Address
Primary Server
Date Received 2011-01-04 10:22:41
Date Occurred 2011-01-04 10:18:21
Level Normal
Scanner Real-time file system protection
Object file
Name
Threat
Action
User User2
Information Event occurred during an attempt to run the file:
Details Ready

Name Threat Action Information
Event occurred during an attempt to run the file:

Column Name Value
Client Name System2
Computer Name System2
MAC Address
Primary Server
Domain
IP
Product Name ESET NOD32 Antivirus BUSINESS EDITION
Product Version 3.0.695
Policy Name Workstations
Last Connected 2011-01-04 10:57:44
Protection Status Text
Virus Signature DB 5758 (20110104)
Last Threat Alert
Last Firewall Alert
Last Event Warning
Last Files Scanned 1747699
Last Files Infected 0
Last Files Cleaned 0
Last Scan Date 2010-12-09 12:00:57
Restart Request
Restart Request Date
Product Last Started 2011-01-04 07:12:16
Product Install Date 2009-03-19 06:52:19
Roaming User
New Client
OS Name Microsoft Windows XP 5.1.2600 Service Pack 3
OS Platform Microsoft Windows
HW Platform 32-bit
Configuration Ready (13 minutes ago)
Protection Status Ready (3 hours ago)
Protection Features Ready (2 weeks ago)
System Information Ready (3 hours ago)
SysInspector No Data
Custom Info
Comment

Quote:

Column Name Value
Threat Id Threat 11372
Client Name System3
Computer Name System3
MAC Address
Primary Server
Date Received 2011-01-04 10:03:00
Date Occurred 2011-01-04 10:01:10
Level Normal
Scanner Real-time file system protection
Object file
Name
Threat
Action
User User3
Information Event occurred during an attempt to run the file:
Details Ready

Name Threat Action Information
Event occurred during an attempt to run the file:

Column Name Value
Client Name System3
Computer Name System3
MAC Address
Primary Server
Domain
IP
Product Name ESET NOD32 Antivirus BUSINESS EDITION
Product Version 3.0.695
Policy Name Workstations
Last Connected 2011-01-04 11:03:08
Protection Status Text
Virus Signature DB 5758 (20110104)
Last Threat Alert
Last Firewall Alert
Last Event Warning
Last Files Scanned 722053
Last Files Infected 0
Last Files Cleaned 0
Last Scan Date 2010-12-09 12:02:36
Restart Request
Restart Request Date
Product Last Started 2011-01-04 09:28:02
Product Install Date 2009-03-20 06:56:19
Roaming User
New Client
OS Name Microsoft Windows XP 5.1.2600 Service Pack 3
OS Platform Microsoft Windows
HW Platform 32-bit
Configuration Ready (31 seconds ago)
Protection Status Ready (90 minutes ago)
Protection Features Ready (2 months ago)
System Information Ready (2 hours ago)
SysInspector No Data
Custom Info
Comment

Quote:

Column Name Value
Threat Id Threat 11334
Client Name System4
Computer Name System4
MAC Address
Primary Server
Date Received 2010-12-29 13:52:00
Date Occurred 2010-12-29 13:51:33
Level Normal
Scanner Real-time file system protection
Object file
Name
Threat
Action
User User4
Information Event occurred during an attempt to run the file:
Details Ready

Name Threat Action Information
Event occurred during an attempt to run the file:

Column Name Value
Client Name System4
Computer Name System4
MAC Address
Primary Server
Domain
IP
Product Name ESET NOD32 Antivirus BUSINESS EDITION
Product Version 3.0.695
Policy Name Workstations
Last Connected 2011-01-04 11:00:50
Protection Status Text
Virus Signature DB 5758 (20110104)
Last Threat Alert
Last Firewall Alert
Last Event Warning
Last Files Scanned 882726
Last Files Infected 0
Last Files Cleaned 0
Last Scan Date 2010-12-09 12:02:05
Restart Request
Restart Request Date
Product Last Started 2011-01-04 06:55:24
Product Install Date 2009-03-19 17:57:25
Roaming User
New Client
OS Name Microsoft Windows XP 5.1.2600 Service Pack 3
OS Platform Microsoft Windows
HW Platform 32-bit
Configuration Ready (3 minutes ago)
Protection Status Ready (4 hours ago)
Protection Features Ready (5 days ago)
System Information Ready (4 hours ago)
SysInspector No Data
Custom Info
Comment

All clients are updating definitions correctly and since this has spanned over 5 days it has occurred with multiple definition sets, but always on XP SP3 32-bit and 3.0.695 though that could easily just be because it is the bulk of our userbase.

[Marcos]

Should the problem persist with the update 5759 or newer, let us know.

[dsi-ap]

Code:

Name	Threat	Action	Information
	is OK		Event occurred during an attempt to access the file.

I also have been getting these on our corporate network since the start of the year.

Will be nice to get an explanation why these where classified as threat or where the false positives from a batch up virus signatures release?

An explantion will help in answering our clients why these warning where triggered.

Thanks.

[Marcos]

Quote:

Originally Posted by dsi-ap

Will be nice to get an explanation why these where classified as threat or where the false positives from a batch up virus signatures release?

It's most likely related to this problem. Should you still be getting these alerts, let us know.

[dsi-ap]

Here's one that just happened:

Code:

19/01/2011 12:20:16 - During execution of Update on the computer somelaptop, the following warning occurred: An error occurred while downloading update files.

and machine...

Code:

Column Name	Value
Client Name	somelaptop
Computer Name	somelaptop
MAC Address	f04da2bba698
Primary Server	someserver
Domain	dsi_group.com
IP	10.x.x.x
Product Name	ESET NOD32 Antivirus BUSINESS EDITION
Product Version	4.2.64
Policy Name	Default Primary Clients Policy
Last Connected	2011-01-19 12:19:19
Protection Status Text	
Virus Signature DB	5795 (20110117)
Last Threat Alert	
Last Firewall Alert	
Last Event Warning	An error occurred while downloading update files.
Last Files Scanned	2
Last Files Infected	0
Last Files Cleaned	0
Last Scan Date	2011-01-17 14:17:42
Restart Request	
Restart Request Date	
Product Last Started	2011-01-19 08:18:51
Product Install Date	2011-01-17 11:32:51
Roaming User	
New Client	Yes
OS Name	Windows 7 Professional 6.1.7600
OS Platform	Microsoft Windows
HW Platform	32-bit
Configuration	Ready (3 hours ago)
Protection Status	Ready (4 hours ago)
Protection Features	Ready (2 days ago)
System Information	Ready (3 hours ago)
SysInspector	No Data
Custom Info	
Comment	

[Marcos]

Quote:

Originally Posted by dsi-ap

Here's one that just happened:

Code:

19/01/2011 12:20:16 - During execution of Update on the computer somelaptop, the following warning occurred: An error occurred while downloading update files.

It's a completely different problem than the one discussed in this thread. Your error means that the update download failed for some reason (probably due to a problem with connectivity or an update server).