False Positive? ( Win32 Exploit MSWord Smtag )

Same here, thousands of "infections" everything has ground to a halt.

 

Re: False Positive?

FYI, we are on 2.70.32 and we are getting it as well, so I don't think it is the module but the sigs. We are on 3217 (20080625). Mike S

 

I just spoke with an engineer at ESET. They said that they are aware of the problem and are working on an update as fast as they can. I was not given an ETA though......grrrr.

 

Re: False Positive?

Hi,
we have identified a problem in the latest update connected to a major engine enhancement we've implemented today. The aim of the enhancement is to speed up scanning of certain archives. Unfortunately, the problem hasn't occurred during a several-week testing and even thousands of clean files were scanned with no alert before we released it. We have temporarily withdrawn the problematic update from the update servers and a newer update with a fix is going to be distributed within about an hour.

The files that have been incorrectly flagged can be safely restored from quarantine. If you need to use them before a newer update is released, please add them to the exclusion list.

 

Re: False Positive?

This helped me , we were getting a ton of calls also. A quick config update is a workaround.

I can't believe this is tested properly with so many people having the same problem.

 

Has this been fixed yet, i have a client who is about to kick eset to the curb this is the second major interuption to business due to eset in as many months. What will be the revision numbers of the def?

 

Just sent a mailshot to my clients - looks like there will be a 2nd sticky in this forum in as many months!

 

I just lost 140 of my clients emails. xmon didnt have copy to quarantine ticked. I have had to disable all scanning temporarily.

With other AV programs I never had to keep a copy.

Losing trust in NOD32 and not happy.

 

3218 is out and fixes the problem.

 

We received the update with the fix about 10 minutes ago. So, problem solved witin 1 hour and 10 minutes after first report in this forum. Way to go ESET!

 

The response was quick as it should be, however, they really should roll out updates first to a smaller group, maybe some IT people like us can 'opt-in' for the "unstable" releases for a few hours before releasing it as final for everyone.

This would be quite easy to do, just allow us to get updates from latest1/latest2/latest3.eset.com instead of the current servers.

Some of my clients it is not huge risk for downtime with these kinds of issues, and some of them it is.

 

We have to admit, at least Eset were man enough to admit they had a problem and got it fixed.

 

damn annoying... i took some heavy abuse regarding this issue :/

 

Just because problem was obvious and widespreaded.

One thing I must admit...they're quick in fixing problems related to signature updates.

 

How can I roll back my mirror server to a prior set of definitions? If someone would answer that question, I wouldn't be nearly so upset NEXT time this happens AGAIN.

 

Would it be as simple as using VSS and restoring a previous version from

\\server\c$\Documents and Settings\All Users\Application Data\ESET\ESET Remote Administrator\Server\mirror\

?

I'm a bit scared to try this. Would clients backrev to an older version?

 

yes, we should have rollback feature on the mirror server, then we can use RA to tell systems to update now again and have them overwrite with older definitions. I don't think this is possible with how the client updates now, but it needs to be added.

 

Surprisingly, I only had one person call with the false positive. Of 100 clients, that's not too bad! I searched google and saw this thread. I was able to update the server and push the update out to all of my clients. All is well now

 

This is all fixed with the 3218 udpate... I have confirmed this with ESET. This cannot happen again.

 

After talking to our eset rep and asking him the same question, he said that rolling back is a very bad idea and something not to attempt.
That changes are made to things that might not be compatible with older versions, etc. He was quite adamant about it. He said that the best course of action is waiting it out for the 'fixed' definitions and applying those in the event of another bad definitions set release.


Not that they couldn't program in a rollback feature that takes all of that into consideration...

 

two things I hope come out of this

first and foremost, ESET really needs to test things better and even then stagger the release, 2 in less than a month is extremely bad for mission critical companies (I am talking about the Enterprise version)

secondly, in the next version they need to give us a central quarantine (all other enterprise AV has it)

 

Thanks kass,

Judging from the buttload of emails i got from the RA server, i have a lot of work to do tomorrow.

I've been thinking of only doing updates every 12 hours to avoid stuff like this.

 

Glad I "google"....

Only affected 2 of my users, I was able to restore their files without incident.

Now...

back to my nap.....

 

We got nailed by this. We had hundreds of .doc files on our file server get "infected" and then quarantined. This was seen on about 5 XP systems, too. We are now pushing out the 3218 definition to all of our end user computers and our servers before releasing these files.

What other steps are you all taking to get this resolved?

-John

 

The new signatures fixed this issue for me too. We were hit relatively lightly, so it was not to big of a deal.

I just rolled out a new install of NOD32 on my network this week, and I have to say that this sort of thing is really unprofessional and will steer many away from your product. Needless to say I am happy with my descisson to go with NOD32, but there needs to be a fix for this sort of thing.

As customer I would like to echo the request of others in this thread for ways around this sort of thing instead of having to wait for a signature update or roll out a template that shuts down antivirus capabilities. A way to roll back from any update would be a good option. Also, you could approach it from an Approval Process model, like patch software follows, instead of an all or nothing approach. In an ideal world this sort of thing would never happen, but this is not an ideal world.

Jeff