Wired Problem with XMON

Hi

XMON has detected a Virus called Win32/TrojanDownloader.Small.ZL

Code:

Time	Module	Object	Name	Virus	Action	User	Info

4/16/2005 17:56:38 PM	XMON	email message	from: [i]sender[/i] to: [i]Recipient[/i] with subject   dated 04/16/2005 17:56  Attachment: Fairy_tale_4534.zip	Win32/TrojanDownloader.Small.ZL trojan	deleted		

The more detailed log of XMON was saying:
1. Action: Deleted
2. Action: Error while cleaning – operation unavailable for this type of object – error while deleting - operation unavailable for this type of object – was part of the deleted object

So far so good, but every once in a while, AMON (probably after a signature update or something) is detecting a file with the same Virus, and it’s always in the %systemroot%\temp Folder with a NOD prefix.

Code:

4/17/2005 13:38:27 PM	AMON	file	C:\WINDOWS\TEMP\NODA234.tmp	Win32/TrojanDownloader.Small.ZL trojan		NT AUTHORITY\SYSTEM	
4/17/2005 7:01:11 AM	AMON	file	C:\WINDOWS\TEMP\NODF1D0.tmp	Win32/TrojanDownloader.Small.ZL trojan		NT AUTHORITY\SYSTEM	
4/17/2005 0:00:38 AM	AMON	file	C:\WINDOWS\TEMP\NOD996B.tmp	Win32/TrojanDownloader.Small.ZL trojan		NT AUTHORITY\SYSTEM	
4/16/2005 21:19:17 PM	AMON	file	C:\WINDOWS\TEMP\NOD84.tmp	Win32/TrojanDownloader.Small.ZL trojan		NT AUTHORITY\SYSTEM	

So it seems that NOD didn’t get rid of the Virus completely. What can I do? I also ran a manual scan and a deep scan but nothing.

Thanks
Adra

 

With MS Exchange, it's crucial to exclude the TMP and EDB extensions from scanning, if AMON is set to scan all files.

 

Hi Marcos

The Exchange directories have allready been excluded along with some other files like MAPI32.dll.

I also made a exclusion for files that loke like this:
*.edb
*.stm
*.log


..but i'm not quite sure if the [*] works for NOD32.

So basically the solution would be to exclude also *.tmp files and don't worry about the rest?

cheers
Adra

P.S.: Is it normal that NOD geneartes so much .tmp files in this directory? The size of that directory was up to 2GB since yesterday.

 

BTW: AMON was set to scan all files without exclusions. I didn't notice that the function changes to "exclude" files when "scan all files" is set. So I have to exclude those files there and TMP as well, right?

 

@marcos

Just wanted to say thanks. I had some confusions with the AMON tabs "detection" and "exlusions" since this was all done in the same tab for the previous Exchange scanner.

But after setting the proper file extension exclusions under "detection" and excluding the exchange directories like recommended from Microsoft, even the NOD temp files won't appear again.


Well, keep the good work going. The previous Scanner missed 7 viruses in the database (including a polymorph macro virus, but it's most probably some handwritten excel macro of some of our "more advanced" users => no prob. ).


Adra