|
|
|
|
|
CA Online Forums :
Threat Management :
CA Anti-Virus General Discussion :
33.3.7051 Stdwin32 False Positives
|
|
|
|
|
|
|
|
|
33.3.7051 Stdwin32 False Positives
|
|
WhiteRoseRaven
Visitor
Posts: 1
Registered: 08-12-2009
Message 1 of 24
Viewed 4,823 times
|
|
|
Since the signature update 33.3.7051 E-Trust is detecting *.dll files and *.exe files as being infected with the virus stdwin32. The files are then renamed to *.AVB These files are not affected and are belonging to system application such as server OS amongst others. Awaiting on CA support to resolve this fault as its a critical mistake made by CA. See this webpage for further details - the fallout could be massive. http://www.dynamoo.com/blog/2009/08/ca-etrust-goes-nuts-with-stdwin32-and.html
|
|
|
|
08-12-2009 05:59 AM
|
|
|
|
|
|
|
Re: 33.3.7051 Stdwin32 False Positives
|
|
andymcknight
New Member
Posts: 20
Registered: 01-22-2008
Message 2 of 24
Viewed 4,765 times
|
|
|
Confirmed same problem here. False detection on a Win7 box in a MS Visual Studio file which crashed the application. eTrust also crashed and machine required reboot. Have set all real-time and scheduled scan polices to Read-Only for the moment. Is there an easy way to reject a specific signature file?
|
|
|
|
08-12-2009 06:40 AM
|
|
|
|
|
|
|
|
|
|
|
|
|
Re: 33.3.7051 Stdwin32 False Positives
|
|
JohnL
Visitor
Posts: 1
Registered: 08-12-2009
Message 6 of 24
Viewed 4,686 times
|
|
|
ditto from oz... doesn't look good.
|
|
|
|
08-12-2009 07:10 AM
|
|
|
|
|
|
|
Re: 33.3.7051 Stdwin32 False Positives
|
|
DionM
Visitor
Posts: 2
Registered: 08-12-2009
Message 7 of 24
Viewed 4,672 times
|
|
|
Ditto from New Zealand. The "cure" of files on one of our client's servers killed Exchange and ArcServe. Fortunately renaming the .avb's back to original files and restarting the services sparked it back into life. Have disabled realtime sitewide for all clients. Looking forward to the fix. This one is going to be NASTY. :(
|
|
|
|
08-12-2009 07:13 AM
|
|
|
|
|
|
|
Re: 33.3.7051 Stdwin32 False Positives
|
|
Dynamoo
New Member
Posts: 3
Registered: 04-09-2008
Message 8 of 24
Viewed 4,642 times
|
|
|
I have the Realtime behaviour set to "Rename" rather than Cure or Delete, it makes recovery a lot easier. I'm guessing that it's 33.3.7051 causing the problem, looks like a BIG update. It may have happened when it was tranistioning from one version to another. It started here about 0625 UK time (0525 GMT). It seems pretty random, it first ate our Sophos installation before turning on wireless NIC drivers, Nokia software, VNC, printer drivers and it even deleted some of its own binaries. Nice. I think it just deleted whatever it was accessing at the time rather than it being a specific false positive.
|
|
|
|
08-12-2009 07:22 AM
|
|
|
|
|
|
|
Re: 33.3.7051 Stdwin32 False Positives
|
|
andymcknight
New Member
Posts: 20
Registered: 01-22-2008
Message 9 of 24
Viewed 4,630 times
|
|
|
I can also confirm I've seen a couple of Microsoft files show up as false positives. Mqgentr.dll and Msrdp.ocx. Realtime picked these up in the SoftewareDistribution folders, not in the live OS. I've currently left Realtime running on all my clients but it's set to Report Only to see how far this one has spread.
|
|
|
|
08-12-2009 07:25 AM
|
|
|
|
|
|
|
Re: 33.3.7051 Stdwin32 False Positives
|
|
andymcknight
New Member
Posts: 20
Registered: 01-22-2008
Message 10 of 24
Viewed 4,561 times
|
|
Dynamoo wrote:
I have the Realtime behaviour set to "Rename" rather than Cure or Delete, it makes recovery a lot easier. I'm guessing that it's 33.3.7051 causing the problem, looks like a BIG update.
Yeah, this is a massive jump, it's not just an incremental signature update, it's a full update to the VET engine by the looks of it. We've gone, what, a little over a month since this previously happened? You'd think CA would be testing these releases thoroughly after the last fiasco.
|
|
|
|
08-12-2009 07:45 AM
|
|
|
|
|
|
|
|
|
|
|
| 
