False Positive? ( Win32 Exploit MSWord Smtag )

Discussion in 'ESET NOD32 Antivirus' started by pmabee, Jun 25, 2008.

Thread Status:
Not open for further replies.
  1. smargison

    smargison Registered Member

    Joined:
    Jun 25, 2008
    Posts:
    2
    Well, I'm not affiliated with Eset or anyone else in the AV market, but I think I need to make this point. Yes, Eset screwed up -- what software company doesn't? But, what I feel is most important are two things: they admitted their error and fixed it within 2 hours. Now, will someone please make a list of the other companies out there about which you could say the same thing? Yeah, I can't think of any either. Mistakes heppen, they always will. And it will get far worse as Windows gets more (unnecessarily) complicated. The true test is how the vendor steps up to the issue and deals with it. After over a decade with Symantec Enterprise A-V we switched our 200+ computers to ESet Enterprise a few weeks ago (the rollout is still continuing as we have sites all over the state). Even with this flub my faith in Eset is not shaken and, judging by the last Symantec release (their "Endpoint Protection") I am still very happy with the decision to switch. And yes, the 3217 problem hit us too, but fortunately didn't do any damage that I could not repair in about 10 minutes. I do agree, though, that there should be some manner of temporary "fix" that the IT admins can do to stop a wayward update from klobbering files. I suspect that suggestion has already been made to Eset today!!!
     
  2. Dave_VBSO

    Dave_VBSO Registered Member

    Joined:
    Jun 25, 2008
    Posts:
    4
    Problem is resolved by update 3218.
    It took a little time for Tech support to answer but that's understandable given the number of calls they were fielding from all of us.
    We had every user opneing a doc file calling us.
    The whole event last about 45-50 mins from getting the 3217 update that caused the false postive to getting the 3218 update that resolved it.
     
  3. manney

    manney Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    32

    Bakker, as much as this sounded like a good idea at first glance, can you imagine being stuck with a dodgy virus update for 12 hourso_O :'( If it was fixed and released with in a couple of hours at least the damage would be limited
     
  4. Bakker

    Bakker Registered Member

    Joined:
    May 28, 2008
    Posts:
    90
    True but limiting it to once every 12 hours would leave me with enough time to jude wether an update got messed up and then prevent it from updating. As long as you set the update timer to 12 hours on the server (not client) side. It should be safe enough since you can trigger a manual update on the server. Clients update every half hour anyway.
     
  5. andrator

    andrator Registered Member

    Joined:
    Feb 10, 2006
    Posts:
    54
    Location:
    Mar a lago
    I received notifications about infected word documents. We're still using version 2.x

    After closer inspection many were attachments from older messages. Probably trigerred by a rescan after the signature update.

    I'm now investigating how many attachments from the quarantaine were lost during the 2 hours this signature was active while skipping old attachments from the rescan.

    The logs shows the following:
    6/25/2008 18:19:36 PM - XMON - Antivirus Monitor for MS Exchange Server Threat Alert triggered on XXXXX: from: XXXXXto: XXXXX with subject XXXXX dated 02/18/2008 16:20 Attachment: XXXXX.doc is infected with a variant of Win32/Exploit.MSWord.Smtag trojan.

    The problem I encounter is that the log entry is truncated when there are multiple recipients:
    6/25/2008 17:44:58 PM - XMON - Antivirus Monitor for MS Exchange Server Threat Alert triggered on XXXXX: from: XXXXX to: <multiple recipients> is infected with a variant of Win32/Exploit.MSWord.Smtag trojan.

    As you can see the subject, date and attachment name is missing from the logs. I can recover the attachment by matching time/date from the log with time/date from the quarantine, but I'm still looking for an alternative method to retrieve the date message has been sent.

    To complicate matters store.exe is now running on high utilization. Solved it by terminating store.exe, disabling XMON and restarting Information Store. Following suggestions from https://www.wilderssecurity.com/showthread.php?t=162557 I will disable Background scanning and enable XMON after office hours. No need to disrupt business more than this already has.
     
  6. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    I've been a network consultant for a loooong time...yes other AV vendors have made mistakes..and had bum updates go out....and they've fixed them quickly. But I have to say....(and I've been a reseller for many other AV brands)...I've not seen the high rate of bum updates as I have lately with NOD. And I can't recall bum updates as drastic or close together as yesterdays...shortly after the one not long ago with PDFs. This one here is quite a bit worse IMO than that flurry of Exchange Server store crashes NOD would have "several times a year" til their last XMON upgrade which changed how it handled Exchange.

    Since Eset has built their sales model heavily on "reseller/partners"...which are network consultants...we try to push NOD. When we push NOD on our clients....and the product fails our clients...we consultants are expected to fix glitches like this...."non billable time". Yesterday I was scheduled to work on a summer day camp network on an island...and had a full day of network related work to do before the ferry took me back to mainland..billable work. My cell phone was ringing like crazy with other clients with this above FP issue. As a "Gold Partner"...that's a LOT of clients. This "volunteer free time" I spent on the cell phone with this issue...was interrupting my billable work. Not good!

    Since it appears flakey def updates will become the norm...time for some work on a "Centralized Quarantine"...which I felt was never needed by NOD32 before because FPs were not common earlier on.
     
  7. Kanosha

    Kanosha Registered Member

    Joined:
    Nov 10, 2007
    Posts:
    2
    I am starting to think I have made a mistake in spending my money on another 2 year's license with this product.

    I want to move to version 3 to actually get my money's worth but still there are just too many problems with this version and with things like this cropping up.... :(
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,441
    Please explain in more details as to what problems you have experienced with the version 3.0.667. If there's actually a problem, we'll do our best to fix it as soon as possible.
     
  9. andrator

    andrator Registered Member

    Joined:
    Feb 10, 2006
    Posts:
    54
    Location:
    Mar a lago
    All software sucks, some suck more than others.

    You can find enough examples in the press from other AV products wreaking havoc.

    In my opinion NOD32 still sucks less than others ;)
     
  10. BOSupUser

    BOSupUser Registered Member

    Joined:
    Jun 26, 2008
    Posts:
    2
    Hi, we have also had problems since the 3217 signature yesterday. This appeared to be resolved with the new signature 3218 but since then we have had the issue as per andrator's post above with Xmon on the Exchange server. Basically this now eats up the CPU and memory for store.exe until eventually exchange cannot cope and after an hour or two it packs in. We have did narrow it down to just disabling background scanning and this has solved the problem for now, but how safe an option is this?? I cant imagine it is ideal to leave it this way. For the record, store.exe is using 00 cpu and around 100,000kb of memeory now.

    The server was all fine until the signature problems yesterday. We are already on sig 3222 and no improvement with each one - we have rebooted every time too.

    Also not impressed with Eset support desk either - they were very unhelpful when I called them this afternoon. They said they would return my call also but nothing so far :(

    Any help would be much appreciated.

    Thanks in advance.
     
  11. BOSupUser

    BOSupUser Registered Member

    Joined:
    Jun 26, 2008
    Posts:
    2
    Further to my previous message for anyone who is interested - Eset support called back and let me know that there is an issue with XMON causing high CPU usage. This happened with the 3217 sig update.

    They are aware of it and they are trying to replicate it. The signature update 3217 also detected old viruses which were false positives - this was then fixed an hour later with 3218 but the XMON scanning engine problem remains. The official workaround is to untick background scanning under XMON which we have already done. There is also no real risk to unticking this option - proactive scanning is still enabled and will scan all new emails. The only differnence is background scanning will scan all emails everytime they are opened for any user whether they have been previously scanned or not.
     
  12. andrator

    andrator Registered Member

    Joined:
    Feb 10, 2006
    Posts:
    54
    Location:
    Mar a lago
    Thanks for the update.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.