Trojan: JS/IframeRef not appearing in quarantine folder
-
Thursday, April 12, 2012 5:40 AM
We've been experiencing FEP alerts for JS/IframeRef but when we look at restoring it from ForeFront for further investigation, the file is not available to be restored. In the forefront terminal on the infected PC, under the History tab, the file lists as quarantined when "All detected items" is ticked but does not show when "Quarantined items only" is ticked.
I've looked in the Quarantine folder on C:\programdatat\...... but the quarantined file does not appear. (yes i'm aware that the quarantined file will appear as string of numbers and letters and not the original file name something.htm). This seems to be occurring particularly for IframeRef detections.
Is anyone else experiencing this?
Why is the file not present even though the quarantine action states as successful?
Is this a possible false positive?
Any assistance would be appreciated.
Cheers
All Replies
-
Thursday, April 12, 2012 8:30 AMModerator
Hi,
Thank you for the post.
Trojan:JS/IframeRef is listed in MS Malware encyclopedia and classify to Severe Alert Level.
https://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aJS%2fIframeRefIn FEP policy Settings--Default actions, Severe alert level Default actions value is recommended action not Quarantine. So to this malware file, it should be deleted.
If there are more inquiries on this issue, please feel free to let us know.
Regards
Rick Tan
TechNet Community Support
- Proposed As Answer by Rowan W Friday, April 13, 2012 2:19 AM
- Marked As Answer by Rick TanModerator Friday, April 13, 2012 7:03 AM
- Unmarked As Answer by Rick TanModerator Thursday, April 19, 2012 3:13 AM
-
Thursday, April 12, 2012 11:28 PM
Thanks Rick.
We've now changed the setting to Quarantine for that level of threat which will allow us to do more investigation for reporting purposes.
Cheers
-
Sunday, April 15, 2012 10:22 PM
I'm having the same issues with this virus but my MSE has "Allowed" in the Action Taken column. When I select for it to show Allowed Items Only the virus is not listed so I can't remove it. Is there a download to fix this??
Thanks for your help!!
-
Monday, April 16, 2012 1:52 AMModerator
Hi Lamora55,
Try to uninstall and reinstall MSE on your computer.
If the issue persists, please ask it to MSE forum.
Regards
Rick Tan
TechNet Community Support
- Edited by Rick TanModerator Monday, April 16, 2012 1:52 AM
-
Monday, April 16, 2012 3:29 AM
Thanks Rick.
We've now changed the setting to Quarantine for that level of threat which will allow us to do more investigation for reporting purposes.
Cheers
Rick,
We've since set the default action as Quarantine for that level of threat. However, we have had another instance of the Iframeref and when we go into FEP to restore, the infected file is still not there to allow restoration. When we look on the infected pc, we are able to see the settings on FEP desktop set as Quarantine for the default action of all alert levels. Is there another possible setting somewhere we may have missed?
Cheers
-
Monday, April 16, 2012 5:53 AMThanks for the info. I uninstalled MSE but computer got hung up during the reinstall so I cancelled and will try again. Wish me luck!
-
Wednesday, April 18, 2012 2:19 AMModerator
Hi Henchman,
To some temporary file, FEP realtime protection doesn’t catch (quarantine) it though it show quarantine successful. Please run Full Scan to caught it.
Regards
Rick Tan
TechNet Community Support
- Marked As Answer by Rick TanModerator Thursday, April 19, 2012 3:13 AM
-
Thursday, April 19, 2012 7:34 PMtry this manual removal steps to make sure your computer is free from any threat.
.png)
