<p style="font-size:11pt;margin:0in;font-family:Calibri">Hello,</p> <p style="font-size:11pt;margin:0in;font-family:Calibri"> </p> <p style="font-size:11pt;margin:0in;font-family:Calibri">Forefront Client Security is finding a virus in a temp folder on my Windows Server 2003 - Standard, running Mailfrontier sonic wall email security here:</p> <p style="font-size:11pt;margin:0in;font-family:Calibri"> </p> <p style="font-size:11pt;margin:0in;font-family:Calibri">&quot;Path Found: <a>file:C:\WINDOWS\Temp\kp19A3.tmp</a>&quot;</p> <p style="font-size:11pt;margin:0in;font-family:Calibri"> </p> <p style="font-size:11pt;margin:0in;font-family:Calibri">and identifying a process as running it, that is located here:</p> <p style="font-size:11pt;margin:0in;font-family:Calibri"> </p> <p style="font-size:11pt;margin:0in;font-family:Calibri">&quot;Process Name: C:\Program Files\MailFrontierEG\PluginDefault\policy\verity\bin\kvoop.exe&quot;<br></p> <p style="font-size:11pt;margin:0in;font-family:Calibri"><br>SonicWall ask that  &quot;C:\Program Files\MailFrontierEG\&quot; be excluded from virus scans. Recently Forefront has been finding this virus in the temp folder, and it never has done that before.<br></p> <p style="font-size:11pt;margin:0in;font-family:Calibri">Is this proper practice for SonicWall Email security to temporarily store a virus in the temp folder while it deletes it? Or is this a possible vulnerability? Has anyone else seen anything like this on thier email virus scanning servers?</p> <p style="font-size:11pt;margin:0in;font-family:Calibri"> </p> <p style="font-size:11pt;margin:0in;font-family:Calibri">Thanks,</p> <p style="font-size:11pt;margin:0in;font-family:Calibri"> </p> <p style="font-size:11pt;margin:0in;font-family:Calibri">Dan</p> <p style="font-size:11pt;margin:0in;font-family:Calibri"> </p> <p style="font-size:11pt;margin:0in;font-family:Calibri">== Actual alert - I have received 5 of these in the last 24hrs ==</p> <p style="font-size:11pt;margin:0in;font-family:Calibri"> </p> <p style="font-size:11pt;margin:0in;font-family:Calibri"> </p> <p style="font-size:11pt;margin:0in;font-family:Calibri">10/21/2008 1:11:17 PM•3004• •Microsoft Forefront Client Security Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Microsoft Forefront Client Security can't undo changes that you allow.</p> <p style="font-size:11pt;margin:0in;font-family:Calibri">For more information please see the following:</p> <p style="font-size:11pt;margin:0in;font-family:Calibri"><a href="http://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Wantvi.I&amp;threatid=2147607438">http://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Wantvi.I&amp;threatid=2147607438</a></p> <p style="font-size:11pt;margin:0in;font-family:Calibri">Scan ID: {F51F682C-85C4-40F4-BD46-7C761EF29F8E}</p> <p style="font-size:11pt;margin:0in;font-family:Calibri">Agent: On Access</p> <p style="font-size:11pt;margin:0in;font-family:Calibri">User: NT AUTHORITY\SYSTEM</p> <p style="font-size:11pt;margin:0in;font-family:Calibri">Name: Trojan:Win32/Wantvi.I</p> <p style="font-size:11pt;margin:0in;font-family:Calibri">ID: 2147607438</p> <p style="font-size:11pt;margin:0in;font-family:Calibri">Severity: Severe</p> <p style="font-size:11pt;margin:0in;font-family:Calibri">Category: Trojan</p> <p style="font-size:11pt;margin:0in;font-family:Calibri">Path Found: <a>file:C:\WINDOWS\Temp\kp19A3.tmp</a></p> <p style="font-size:11pt;margin:0in;font-family:Calibri">Alert Type: </p> <p style="font-size:11pt;margin:0in;font-family:Calibri">Process Name: C:\Program Files\MailFrontierEG\PluginDefault\policy\verity\bin\kvoop.exe</p> <p style="font-size:11pt;margin:0in;font-family:Calibri">Detection Type: Concrete</p> <p style="font-size:11pt;margin:0in;font-family:Calibri">Status: Suspend ••</p>© 2009 Microsoft Corporation. All rights reserved.Thu, 05 Mar 2009 19:57:20 Zbf035b92-2c3c-44c7-9d02-3dc147fbe3e2http://social.technet.microsoft.com/Forums/en-US/ForefrontclientMTR/thread/bf035b92-2c3c-44c7-9d02-3dc147fbe3e2#bf035b92-2c3c-44c7-9d02-3dc147fbe3e2http://social.technet.microsoft.com/Forums/en-US/ForefrontclientMTR/thread/bf035b92-2c3c-44c7-9d02-3dc147fbe3e2#bf035b92-2c3c-44c7-9d02-3dc147fbe3e2Dan Spechthttp://social.technet.microsoft.com/Profile/en-US/?user=Dan%20Specht   <p style="font-size:11pt;margin:0in;font-family:Calibri">Hello,</p> <p style="font-size:11pt;margin:0in;font-family:Calibri"> </p> <p style="font-size:11pt;margin:0in;font-family:Calibri">Forefront Client Security is finding a virus in a temp folder on my Windows Server 2003 - Standard, running Mailfrontier sonic wall email security here:</p> <p style="font-size:11pt;margin:0in;font-family:Calibri"> </p> <p style="font-size:11pt;margin:0in;font-family:Calibri">&quot;Path Found: <a>file:C:\WINDOWS\Temp\kp19A3.tmp</a>&quot;</p> <p style="font-size:11pt;margin:0in;font-family:Calibri"> </p> <p style="font-size:11pt;margin:0in;font-family:Calibri">and identifying a process as running it, that is located here:</p> <p style="font-size:11pt;margin:0in;font-family:Calibri"> </p> <p style="font-size:11pt;margin:0in;font-family:Calibri">&quot;Process Name: C:\Program Files\MailFrontierEG\PluginDefault\policy\verity\bin\kvoop.exe&quot;<br></p> <p style="font-size:11pt;margin:0in;font-family:Calibri"><br>SonicWall ask that  &quot;C:\Program Files\MailFrontierEG\&quot; be excluded from virus scans. Recently Forefront has been finding this virus in the temp folder, and it never has done that before.<br></p> <p style="font-size:11pt;margin:0in;font-family:Calibri">Is this proper practice for SonicWall Email security to temporarily store a virus in the temp folder while it deletes it? Or is this a possible vulnerability? Has anyone else seen anything like this on thier email virus scanning servers?</p> <p style="font-size:11pt;margin:0in;font-family:Calibri"> </p> <p style="font-size:11pt;margin:0in;font-family:Calibri">Thanks,</p> <p style="font-size:11pt;margin:0in;font-family:Calibri"> </p> <p style="font-size:11pt;margin:0in;font-family:Calibri">Dan</p> <p style="font-size:11pt;margin:0in;font-family:Calibri"> </p> <p style="font-size:11pt;margin:0in;font-family:Calibri">== Actual alert - I have received 5 of these in the last 24hrs ==</p> <p style="font-size:11pt;margin:0in;font-family:Calibri"> </p> <p style="font-size:11pt;margin:0in;font-family:Calibri"> </p> <p style="font-size:11pt;margin:0in;font-family:Calibri">10/21/2008 1:11:17 PM•3004• •Microsoft Forefront Client Security Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Microsoft Forefront Client Security can't undo changes that you allow.</p> <p style="font-size:11pt;margin:0in;font-family:Calibri">For more information please see the following:</p> <p style="font-size:11pt;margin:0in;font-family:Calibri"><a href="http://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Wantvi.I&amp;threatid=2147607438">http://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Wantvi.I&amp;threatid=2147607438</a></p> <p style="font-size:11pt;margin:0in;font-family:Calibri">Scan ID: {F51F682C-85C4-40F4-BD46-7C761EF29F8E}</p> <p style="font-size:11pt;margin:0in;font-family:Calibri">Agent: On Access</p> <p style="font-size:11pt;margin:0in;font-family:Calibri">User: NT AUTHORITY\SYSTEM</p> <p style="font-size:11pt;margin:0in;font-family:Calibri">Name: Trojan:Win32/Wantvi.I</p> <p style="font-size:11pt;margin:0in;font-family:Calibri">ID: 2147607438</p> <p style="font-size:11pt;margin:0in;font-family:Calibri">Severity: Severe</p> <p style="font-size:11pt;margin:0in;font-family:Calibri">Category: Trojan</p> <p style="font-size:11pt;margin:0in;font-family:Calibri">Path Found: <a>file:C:\WINDOWS\Temp\kp19A3.tmp</a></p> <p style="font-size:11pt;margin:0in;font-family:Calibri">Alert Type: </p> <p style="font-size:11pt;margin:0in;font-family:Calibri">Process Name: C:\Program Files\MailFrontierEG\PluginDefault\policy\verity\bin\kvoop.exe</p> <p style="font-size:11pt;margin:0in;font-family:Calibri">Detection Type: Concrete</p> <p style="font-size:11pt;margin:0in;font-family:Calibri">Status: Suspend ••</p>Wed, 22 Oct 2008 00:06:13 Z2008-10-22T00:06:13Zhttp://social.technet.microsoft.com/Forums/en-US/ForefrontclientMTR/thread/bf035b92-2c3c-44c7-9d02-3dc147fbe3e2#5be61df3-5a39-402e-8921-9fe5819dfd30http://social.technet.microsoft.com/Forums/en-US/ForefrontclientMTR/thread/bf035b92-2c3c-44c7-9d02-3dc147fbe3e2#5be61df3-5a39-402e-8921-9fe5819dfd30Kurt Faldehttp://social.technet.microsoft.com/Profile/en-US/?user=Kurt%20Falde It's actually fairly common for AV to have some type of temp folder that it may use to unarchive contents of .zip's .cabs .rars etc while scanning<hr class="sig">CSS Security Support Engineer (FCS/MBSA/WUA/Incident Response) Check out my blog http://blogs.technet.com/kfaldeThu, 05 Mar 2009 19:57:17 Z2009-03-05T19:57:17Z