Update 3918 False Positive Win32/Kriptik.JX trojan

Discussion in 'ESET NOD32 Antivirus' started by rdfye, Mar 9, 2009.

Thread Status:
Not open for further replies.
  1. rdfye

    rdfye Registered Member

    Joined:
    Apr 17, 2008
    Posts:
    8
    Location:
    Valencia, CA
    We're getting msdtc.exe and winlogon.exe being deleted and quarantined on ALL of our systems after the 3918 update. This is a HUGE problem and obviously a false positive. WTF!! ESET.... come on.. We're going to walk into a debacle on Monday morning with all these files being deleted and/or quarantined.
     
  2. cboehnke

    cboehnke Registered Member

    Joined:
    Mar 9, 2009
    Posts:
    1
    Roger. Also in dllhost.exe.

    I take the sudden increase people viewing this forum as a sign that we're not alone.
     
  3. BigIron

    BigIron Registered Member

    Joined:
    Jun 11, 2006
    Posts:
    6
    Hello,

    Yes! We are seeing the same issue... We are seeing this as a major outbreak(false alert?).. Likely due to updates as you have outlined..

    :blink:

    S.
     
  4. remza_23

    remza_23 Registered Member

    Joined:
    Jul 13, 2008
    Posts:
    3
    any updates on this issue? What will be the cause if this issue is not resolved?
     
  5. Rua

    Rua Registered Member

    Joined:
    Mar 9, 2009
    Posts:
    1
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hello,
    a problem was found in the recent update of the advanced heuristics module which, in combination with the generic signature for Win32/Kryptik.JX caused certain system files to be flagged as infected. The problematic update was withdrawn from the update servers in 10 minutes after the release. Those who have come across this false positive can restore the original files from quarantine. A fix has already been issued - you can verify this by right-clicking the program tray icon and selecting About. The version of the Advanced heuristics module containing the fix is 1092 for v3/v4 users and 1091 for v2 users.

    Update: a newer update is being released which will restore false positives from quarantine to their original locations without user intervention. V2 users will either need to restore the affected files from quarantine manually or wait for a tool that can be used in a network environment.
     
    Last edited: Mar 9, 2009
  7. remza_23

    remza_23 Registered Member

    Joined:
    Jul 13, 2008
    Posts:
    3
    hi,

    what do we need to do now, is there a new update that will be release? when will this be release?
    In a corporate environment 100+pcs will be affected by this so we need to go to each pc to click the quarantine and restore it or is there any simple way?
     
  8. CEllsworth

    CEllsworth Registered Member

    Joined:
    Mar 9, 2009
    Posts:
    7
    Marcos. Is it possible to push this kind of fix out across the network? We are on a domain, and also use the NOD32 Administrator Console.
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The updated advanced heuristics module is distributed the way virus signature databases are so all clients should receive it automatically.
     
  10. rdfye

    rdfye Registered Member

    Joined:
    Apr 17, 2008
    Posts:
    8
    Location:
    Valencia, CA
    Marcos,

    Going to every PC in the Enterprise and restoring the affected files is less than an optimal solution. Is there any way to affect the changes via the Remote Admin Console?? or is there another solution?

    Any help on this would be greatly appreciated. It's going to be a very tense Monday morning.

    Roger
     
  11. CEllsworth

    CEllsworth Registered Member

    Joined:
    Mar 9, 2009
    Posts:
    7

    Is it possible to RESTORE THE ORIGINAL FILES FROM QUARANTINE in a batch method?

    We have 250 workstation across more than a dozen sites who have picked up the False Positive. Walking around to 'fix' this is not an option.

    The ESET NOD32 AV (ecls) command line parameters to not appear to have a function to restore from quarantine. Is there another option?

    Again. We're in a domain environment, and utilize the NOD 32 Administration Console. Is there any possible way to restore these files from Quarantine across the environment?
     
  12. artsky

    artsky Registered Member

    Joined:
    Jan 9, 2008
    Posts:
    35
    shall the updated modules also automatically restore those deleted files as well? what happens if those computers reboot afterwards while those system files are still quarantined?
     
  13. Banger696

    Banger696 Registered Member

    Joined:
    Sep 6, 2006
    Posts:
    274
    I got caught by this, dllhost.exe and mstdc.exe were quarantined, then Dllhost.exe and mstdc.exe.new so it behaved like a virus but it could have been windows file protection kicking in.?
     
  14. storm0

    storm0 Registered Member

    Joined:
    Mar 9, 2009
    Posts:
    2
    Eset you must do something about it! Please release a update to restore the files. I have many clients in different locations and this is a real problem for me! I have restored the files manually in one location but this a real mess.
     
  15. artsky

    artsky Registered Member

    Joined:
    Jan 9, 2008
    Posts:
    35
    our support staff is reporting that those quarantined system files can no longer be found in both the system32 and the quarantine folder.

    where could they be? how do we restore those files?
     
  16. duijv023

    duijv023 Registered Member

    Joined:
    Feb 16, 2006
    Posts:
    230
    Location:
    Rijnsburg, Netherlands
    unfortunately, it does not work yet?

    I saw the alert on a customer's server this morning, I did not trust the alert and checked it out here.
    Happy to see this being communicated so quickly.
    You wrote that adv. heuristics need to update to 1092 (20090309) by regular update.
    I did a manual update, but after updating (9.15 UTC+1) The server modules are still at:

    NOD32 antivirus system information
    Virus signature database version: 3918 (20090309)
    Dated: maandag 9 maart 2009
    Virus signature database build: 15296

    Information on other scanner support parts
    Advanced heuristics module version: 1091 (20090309)
    Advanced heuristics module build: 1200
    Internet filter version: 1.002 (2004070:cool:
    Internet filter build: 1013
    Archive support module version: 1082 (20090213)
    Archive support module build version: 1224

    Information about installed components
    NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Administrative tools
    Version: 2.71.9
    NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Base
    Version: 2.71.9
    NOD32 for Windows NT/2000/XP/2003/Vista/x64 - Standard component
    Version: 2.71.9
    NOD32 for Windows NT/2000/XP/2003/Vista/x64 - XMON
    Version: 2.71.9

    Operating system information
    Platform: Microsoft Windows Server 2003
    Version: 5.2.3790 Service Pack 2
    Version of common control components: 5.82.3790
    RAM: 2047 MB
    Processor: Intel(R) Pentium(R) 4 CPU 2.60GHz (2593 MHz)​


    What can i do else to handle this issue best?

    Greetings from Holland

    UPDATE 9.35 UTC+1:

    Did a new update:
    defs now on 3919, but adv. heurisics still on 1091:

    NOD32 antivirus system information
    Virus signature database version: 3919 (20090309)
    Dated: maandag 9 maart 2009
    Virus signature database build: 15299

    Information on other scanner support parts
    Advanced heuristics module version: 1091 (20090309)
    Advanced heuristics module build: 1200
    Internet filter version: 1.002 (2004070:cool:
    Internet filter build: 1013
    Archive support module version: 1082 (20090213)
    Archive support module build version: 1224

    Information about installed components
    NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Administrative tools
    Version: 2.71.9
    NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Base
    Version: 2.71.9
    NOD32 for Windows NT/2000/XP/2003/Vista/x64 - Standard component
    Version: 2.71.9
    NOD32 for Windows NT/2000/XP/2003/Vista/x64 - XMON
    Version: 2.71.9

    Operating system information
    Platform: Microsoft Windows Server 2003
    Version: 5.2.3790 Service Pack 2
    Version of common control components: 5.82.3790
    RAM: 2047 MB
    Processor: Intel(R) Pentium(R) 4 CPU 2.60GHz (2593 MHz)
     
    Last edited: Mar 9, 2009
  17. CEllsworth

    CEllsworth Registered Member

    Joined:
    Mar 9, 2009
    Posts:
    7
    Is there any better way besides going computer to computer to reverse this catastrophe?
     
  18. Banger696

    Banger696 Registered Member

    Joined:
    Sep 6, 2006
    Posts:
    274
    My modules updated to 1092 and just now sig has been updated to 3919. All fixed and files restored. There are also dllhost.exe and msdtc.exe in dllcache on XP so Windows should automatically restore these files.
     
  19. BRACdude

    BRACdude Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    16
    Ok i've seen this asked alot but all the ESET team seem to be avoiding the question..... How do you fix this across 100+ clients without restoring the quarantined files manually on each machineo_O

    Your 'fix' may be all well and good for the home user but how about providing details on what the corporate customers should do to our larger computer estates as no disrespect towards home users but ESET are actually costing our companies money sorting this mess out!

    It's one thing to make an almighty screw up like this but it's how you deal with the aftermath & your users that shows how good a company you are.
     
  20. marcomas

    marcomas Registered Member

    Joined:
    May 16, 2006
    Posts:
    2
    Location:
    Italy, near Milano
    This affected about 7 servers on clients networks.
    There is an option, pressing F5 in EAV Business v3, advanced configuration > tools > quarantene to recheck quarantined files after update but this seems dont work.
    At this time the only possible solution seems to manually restore single files from quarantine.
    Really BAD. :doubt:
     
  21. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    When a solution is ready (within a couple of hours from now), V3 and V4 clients will restore these files from quarantine automatically.

    We're also working on a stand-alone tool that will accomplish that in a network environment or which can be used by v2 users as well.
     
  22. storm0

    storm0 Registered Member

    Joined:
    Mar 9, 2009
    Posts:
    2
    I hope that Eset will give us something for it, like additional month of subscription. Because i don't like to run and repair computers on monday morning and we actually pay for many licenses.
     
  23. duijv023

    duijv023 Registered Member

    Joined:
    Feb 16, 2006
    Posts:
    230
    Location:
    Rijnsburg, Netherlands
    Marcos,

    on earlier occasions (small local FP's) I saw that after applying the right updates, quarantined files were restored automatically.
    Will this also happen with this FP? If so, this will definately be good news to admins with a FP-headache...

    Greetings from Holland

    FTR: at this time, I only saw kernel detections without auto-delete/quarantain, so I cannot reproduce it at this time

    update:
    Ok marcos, I did not see your latest comment until now...
     
  24. whitewlf

    whitewlf Registered Member

    Joined:
    Mar 9, 2009
    Posts:
    2
    While I think many will be flying off the handles and screaming about this being a huge screw up, I also think they should just switch to decaf.

    That said, I must ask, after helping a friend "fix" his system after NOD32 just quarantined his systemfiles... How do we "update" to the newest Advanced Heuristics module.

    Both our systems are saying Virus Signature 3918 and Advanced Heuristics module 1091, module build 1200. Manually updating says no updates are available.

    His machine was "infected" but, mine, WinXp SP2, was not. Not even when I started copying the missing files to a rar to send him in case the quarantine restore didn't work, did it complain about my files. His machine is SP3. Both of us run the advanced heuristics. His is still saying it is infected after disabling the Advanced Heuristics option for now.

    Edit: As I was about to hit post... I was just auto updated to 3919. But my module version is still 1091. I'm still not getting alerts, even with Adv. Heur turned back on. It has been fixed on my friend's machine as well.

    NOD32 antivirus system information
    Virus signature database version: 3918 (20090309)
    Dated: Monday, March 09, 2009
    Virus signature database build: 15296

    Information on other scanner support parts
    Advanced heuristics module version: 1091 (20090309)
    Advanced heuristics module build: 1200
    [noparse]Internet filter version: 1.002 (2004070:cool:[/noparse]
    Internet filter build: 1013
    Archive support module version: 1082 (20090213)
    Archive support module build version: 1224

    Information about installed components
    NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Base
    Version: 2.70.39
    NOD32 For Windows NT/2000/XP/2003/Vista/x64 - Internet support
    Version: 2.70.39
    NOD32 for Windows NT/2000/XP/2003/Vista/x64 - Standard component
    Version: 2.70.39

    Operating system information
    Platform: Microsoft Windows XP
    Version: 5.1.2600 Service Pack 2
    Version of common control components: 5.82.2900
    RAM: 2047 MB
    Processor: AMD Athlon(tm) 64 X2 Dual Core Processor 5200+ (2611 MHz)
     
  25. CEllsworth

    CEllsworth Registered Member

    Joined:
    Mar 9, 2009
    Posts:
    7

    So I can goto sleep? There will be a fix within the next 4 hours (8am CST) that restores the system files?
     
Thread Status:
Not open for further replies.