False Positive, can't override

Discussion in 'Prevx Releases' started by jimwillsher, Jan 21, 2011.

Thread Status:
Not open for further replies.
  1. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    Hi,

    I know this is an Enterprise question but I can't recall if I should raise Enterprise issues here or not :doubt:

    We're getting daily notifications about this file: C:\windows\temp\spnserv.dat. The PX5 is this: 70a0d1fc00b8306f048e005450fc4a00a69e83d5

    I've added an override entry in the PrevX Console on our server and the "determination" (o_O) shows as "G". Yet the daily "you are infected" reports keep highlighting this file.

    Incidentally the file concerned is only about 1Kb and when I open it in a hex editor it contains nothing but 00 00 00 00 00 00 00 00 .......

    Please can someone advise:

    1) why the override isn't working
    2) Why a file containing all 00 00 00 is triggered


    Many thanks!



    Jim
     
  2. Geri

    Geri Registered Member

    Joined:
    May 18, 2010
    Posts:
    41
  3. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    The file you're seeing is definitely an executable, it may have been deleted or changed before but I've fixed the determination now so if you run another scan, it should now come up clean :)
     
Thread Status:
Not open for further replies.