Dell Data Protection removed by EAV v5

Discussion in 'ESET Endpoint Products' started by dsi-ap, Feb 21, 2013.

Thread Status:
Not open for further replies.
  1. dsi-ap

    dsi-ap Registered Member

    Joined:
    Jul 4, 2005
    Posts:
    118
    Location:
    UK
    Had several reports from users machines when booting up that the Dell Data Protetcion Utility needs re-installing.

    As you can see from screenshot & log the affects of the weekly scan that took place last night here..affecting several dozen machines..

    Code:
    Log
    Version of virus signature database: 8030 (20130220)
    Date: 2/20/2013  Time: 7:30:31 PM
    Scanned disks, folders and files: Operating memory;C:\Boot sector;C:\
    C:\hiberfil.sys - error opening [4]
    C:\pagefile.sys - error opening [4]
    C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\pbsignon.img.cab » CAB » 4.0.5.8\VBR.BIN - probably unknown TSR.BOOT virus [7] - was a part of the deleted object
    C:\Program Files\Dell\Dell Data Protection\Access\Installer\Trusted Drive Manager\Trusted Drive Manager.msi » MSI » Data1.cab » CAB » pbsignon.img.cab » CAB » 4.0.5.8\VBR.BIN - probably unknown TSR.BOOT virus [7] - was a part of the deleted object
    C:\System Volume Information\{03fc01fb-79a5-11e2-886f-c0f8dae848aa}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{03fc0434-79a5-11e2-886f-c0f8dae848aa}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{4361db05-6532-11e2-9b11-c0f8dae848aa}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{7bae56f0-589e-11e2-8580-c0f8dae848aa}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{7bae58ee-589e-11e2-8580-c0f8dae848aa}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{8b8de6ee-5e26-11e2-8546-c0f8dae848aa}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{8f823215-4ff5-11e2-9962-c0f8dae848aa}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{d9f0e750-6ab4-11e2-8157-c0f8dae848aa}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{d9f0e754-6ab4-11e2-8157-c0f8dae848aa}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{d9f0e760-6ab4-11e2-8157-c0f8dae848aa}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{d9f0e764-6ab4-11e2-8157-c0f8dae848aa}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{d9f0e76e-6ab4-11e2-8157-c0f8dae848aa}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{d9f0f339-6ab4-11e2-8157-c0f8dae848aa}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\System Volume Information\{f10c4866-5581-11e2-a34d-c0f8dae848aa}{3808876b-c176-4e48-b7ae-04046e6cc752} - error opening [4]
    C:\Windows\Installer\10965.msi » MSI » Data1.cab » CAB » pbsignon.img.cab » CAB » 4.0.5.8\VBR.BIN - probably unknown TSR.BOOT virus [7] - was a part of the deleted object
    Number of threats found: 3
    Number of cleaned objects: 3
    Time of completion: 7:37:42 PM  Total scanning time: 431 sec (00:07:11)
    
    Notes:
    [4] Object cannot be opened. It may be in use by another application or operating system.
    [7] Object is probably infected with an unknown virus.
    
     

    Attached Files:

  2. acomtois

    acomtois Registered Member

    Joined:
    Feb 21, 2013
    Posts:
    2
    Location:
    USA
    Re: Dell Data Protetcion removed by EAV v5

    This same thing has happened to me on 18 computers.

    The files removed were:
    C:\Program Files\Dell\Dell Data Protection\Access\Advanced\Wave\Trusted Drive Manager\pbsignon.img.cab » CAB » 4.1.1.312\VBR.BIN - probably unknown TSR.BOOT virus [7]
    C:\Program Files\Dell\Dell Data Protection\Access\Installer\Trusted Drive Manager\Trusted Drive Manager.msi » MSI » Data1.cab » CAB » pbsignon.img.cab » CAB » 4.1.1.312\VBR.BIN - probably unknown TSR.BOOT virus [7]
    C:\Windows\Installer\ebc3.msi » MSI » Data1.cab » CAB » pbsignon.img.cab » CAB » 4.1.1.312\VBR.BIN - probably unknown TSR.BOOT virus [7]

    Argh.
     
  3. dsi-ap

    dsi-ap Registered Member

    Joined:
    Jul 4, 2005
    Posts:
    118
    Location:
    UK
    Re: Dell Data Protetcion removed by EAV v5

    I will have to now scelate this to ESET via email ad this has now affetced many machine in a network of 1000's - not good!
     
  4. acomtois

    acomtois Registered Member

    Joined:
    Feb 21, 2013
    Posts:
    2
    Location:
    USA
    Re: Dell Data Protetcion removed by EAV v5

    Please update with their resolution. I am betting money on "Sorry. We fixed our faulty virus signature."
     
  5. Mister Natural

    Mister Natural Registered Member

    Joined:
    May 10, 2007
    Posts:
    225
    Location:
    3rd density St. Louis
    Same problem here. Getting a lot of calls from users, very annoying.

    Update, received a PM from Marcos. I'm restoring files remotely from the ERAC on affected machines. I reported another false positive detected overnight as well.
     

    Attached Files:

    Last edited: Feb 21, 2013
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It was VBR.BIN with the size of 512 bytes that apparently started to be detected after the size limit for this detection was adjusted. The FP was fixed in update 8034 released earlier today. If more clients were affected, it's possible to restore the affected files from quarantine by means of ESET Remote Administrator.
     
  7. Mister Natural

    Mister Natural Registered Member

    Joined:
    May 10, 2007
    Posts:
    225
    Location:
    3rd density St. Louis
    That Dell diagnostic utility executable I showed in my previous post is still being detected as a tsr boot virus. Signature database 8039. I will submit the file to Eset.
     
  8. dsi-ap

    dsi-ap Registered Member

    Joined:
    Jul 4, 2005
    Posts:
    118
    Location:
    UK
    I have now tried several times to upload the samples either via the web samples webpage or the ftp site and had no joy what so ever even trying from multiple locations.
    As per previous posters still an issue and having todo restores either system or eset quarantine restore just doesnt cut it anymore when i am dealing with hundreds of users.
     
  9. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,031
    Location:
    California
    Hello,

    Just to follow-up, is anyone still experiencing an issue with this?

    Regards,

    Aryeh Goretsky
     
  10. Mister Natural

    Mister Natural Registered Member

    Joined:
    May 10, 2007
    Posts:
    225
    Location:
    3rd density St. Louis
    No problems to be reported from me.
     
Thread Status:
Not open for further replies.