NOD32 Client resending threats to ERA Console

Discussion in 'ESET NOD32 Antivirus' started by rockshox, Dec 2, 2009.

Thread Status:
Not open for further replies.
  1. rockshox

    rockshox Registered Member

    Joined:
    Oct 23, 2009
    Posts:
    261
    Recently we have had several clients resending threat alerts back to the ERA console. The clients are running NOD32 v4.0.437. ERA will show a new threat has been detected, but when I go to check on it, the Date Received will show the threat was recently received, but the Date Occurred will be several months old and a duplicate of a threat that was already taken care of. Has anyone seen this before?

    Here is a screen shot of an instance of this happening from yesterday.

    ERA_01.jpg
     
  2. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    I've seen this behavior occasionally since v3, and support's response was to upgrade to v4, the newest version of RAS, as well as start with a fresh RAS database. I wasn't going to do that for a minor issue, so I've just delt with it. You might as well report it to them so they know there is more than one person dealing with this, tell them to reference unresolved case #315420 for more background info and the troubleshooting steps they tried before.
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Just to make sure, is the client name exactly same for both records?
     
  4. SmackyTheFrog

    SmackyTheFrog Registered Member

    Joined:
    Nov 5, 2007
    Posts:
    767
    Location:
    Lansing, Michigan
    On the clients I've seen this happen on, nothing has changed. Same IP, same hostname, same MAC address. I've also seen some other database oddities like client install dates being an impossible date in the future that makes me suspect there is something bad going on inside the database causing this erratic behavior with timestamps and duplicate threats being logged.
     

    Attached Files:

  5. rockshox

    rockshox Registered Member

    Joined:
    Oct 23, 2009
    Posts:
    261
    Yes, the Client Name and Mac Address are identical for both records. There have been no changes (other than standard Windows updates) done on this computer recently. I checked the Event Viewer around the time the Threat Event was resent and it didn't show anything happening on the computer at that time.

    We also are using a SQL backend for the database if that makes any difference.

     
Thread Status:
Not open for further replies.