PrevX killing the Crashplan Installer

Discussion in 'Prevx Releases' started by tacfit, Dec 28, 2010.

Thread Status:
Not open for further replies.
  1. tacfit

    tacfit Registered Member

    Joined:
    Sep 2, 2009
    Posts:
    25
    We use the Crashplan backup software (which is fantastic, I might add) and PrevX Enterprise is killing the installer. We have customised the installer from Crashplan to apply our own settings, and as a result the installer auto-extracts some files into a temp directory. These files are named randomly and automatically, and PrevX is killing them when the installer runs.

    I've contacted support, but thought I'd post here as well in case anyone else has had issues between these 2 products. With the 3.0.5.219 version it's blocking the installer completing, and I don't even get an alert or scan history in the PrevX console. So... I can't even override it.
     
  2. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Sorry that your having problems installing Crashplan backup software. It's a good thing you contacted Prevx support as most times they deal with Prevx Enterprise customers! Maybe PrevxHelp will be around to give his comments here!

    Regards,

    TH
     
  3. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Could you please send me a link to the download for the specific version of Crashplan that you're using so that I can try to find the correct file here and could you check to see if there are any log files in the C:\Documents and Settings\All Users\Application Data\PrevxCSI folder (under XP, or C:\ProgramData\PrevxCSI under Vista/7)? These should shed some light on what files are being blocked.

    Thank you! :)
     
  4. tacfit

    tacfit Registered Member

    Joined:
    Sep 2, 2009
    Posts:
    25
    I looked at those logs and they are as follows:

    [28/12/2010 17:51] The file [C:\Windows\Installer\MSICDE.tmp] has been removed and contained a threat of type

    [Generic.Malware] - Identity: AB8927BD002B5CB5C2430070BE60050044F7D2E1
    [28/12/2010 17:52] The file [C:\Users\jpuddle\AppData\Local\Temp\MSI4172.tmp] has been removed and contained a

    threat of type [Generic.Malware] - Identity: AB8927BD002B5CB5C2430070BE60050044F7D2E1
    [28/12/2010 17:53] The file [C:\Users\jpuddle\AppData\Local\Temp\MSIEC41.tmp] has been removed and contained a

    threat of type [Generic.Malware] - Identity: AB8927BD002B5CB5C2430070BE60050044F7D2E1
    [28/12/2010 18:01] The file [C:\Windows\Installer\MSI5C86.tmp] has been removed and contained a threat of type

    [Generic.Malware] - Identity: AB8927BD002B5CB5C2430070BE60050044F7D2E1
     
  5. tacfit

    tacfit Registered Member

    Joined:
    Sep 2, 2009
    Posts:
    25
    [28/12/2010 17:26] The file [C:\Windows\Installer\MSIFC98.tmp] has been automatically blocked because it contains a threat of type [Generic.Malware] - Identity: AB8927BD002B5CB5C2430070BE60050044F7D2E1
     
  6. tacfit

    tacfit Registered Member

    Joined:
    Sep 2, 2009
    Posts:
    25
    Running the installer on a different machine throws the same error with a different ID: F15F56FE27F176EDC010C43ECC12B701DB959939
     
  7. tacfit

    tacfit Registered Member

    Joined:
    Sep 2, 2009
    Posts:
    25
    [29/12/2010 20:40] The file [\\tacf.org\tacf\IT\Software\Server Software\CrashPlan PRO\install custom\CrashPlanPRO_ctf_x64_2010-12-14.exe] has been removed and contained a threat of type [Generic.Malware] - Identity: F15F56FE27F176EDC010C43ECC12B701DB959939
    [29/12/2010 20:48] The file [\\tacf.org\tacf\IT\Software\Server Software\CrashPlan PRO\install custom\CrashPlanPRO_ctf_x86_2010-12-14.exe] has been removed and contained a threat of type [Generic.Malware] - Identity: F15F56FE04F176ED6410E23ECC12B70158EA5805
    [29/12/2010 20:49] The file [C:\Windows\Installer\MSI3E9E.tmp] has been removed and contained a threat of type [Generic.Malware] - Identity: F15F56FE04F176ED6410E23ECC12B70158EA5805
     
  8. tacfit

    tacfit Registered Member

    Joined:
    Sep 2, 2009
    Posts:
    25
    Since when does PrevX delete files without me approving it? Where are these files stored?
     
  9. tacfit

    tacfit Registered Member

    Joined:
    Sep 2, 2009
    Posts:
    25
    I'm not going to put that download link up here in public, so I'm trying to add it to a new ticket. However, when I click submit on the ticket it takes me to this page: http://www.prevx.com/default.asp?sec=interest6a

    This is only since today. Has someone botched something on your site?
     
  10. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    These files may be automatically removed depending on the configuration policies you have set in the Enterprise console.

    However, I've now modified how our database responds to those files so you should be able to install it properly without disabling Prevx.

    Let me know if you need anything else or if you have any further questions!
     
  11. tacfit

    tacfit Registered Member

    Joined:
    Sep 2, 2009
    Posts:
    25
    Thanks, works fine now.

    Much appreciated!
     
  12. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Great to here! If you have any other problems feel free to post again! ;)

    TH
     
    Last edited: Jan 6, 2011
  13. tacfit

    tacfit Registered Member

    Joined:
    Sep 2, 2009
    Posts:
    25
    I've got the same problem now with another wrapper we're using for the CrashPlan installer. I've added all the files to the exclude list in the Enterprise Console, and I've added all the PX5s that are being blocked. I've dropped the signature cache on the client, and retried... and it's still blocked. Why oh why is excluding applications SO DAMN HARD in this software?
     
  14. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Can you please send a Prevx scan log to Prevx as stated in this post: https://www.wilderssecurity.com/showpost.php?p=1662381&postcount=1 and PrevxHelp will be able to help you further!

    Regards,

    TH
     
  15. tacfit

    tacfit Registered Member

    Joined:
    Sep 2, 2009
    Posts:
    25
    Thanks, I have replied to a PM sent to me from PrevX.
     
  16. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Hope they are getting you sorted! ;)

    TH
     
Thread Status:
Not open for further replies.