Forefront Client Security Malware Technology and Response Forum

MSFCS Not detecting malware

Thu, 19 Nov 2009 16:57:08 Z

I installed MSFCS with clientsetup /nomom option in a remote windows 2003 server (leased from GoDaddy).

I have received 13 emails in the last 3 days with a zip attachment asking the receipient to install a file that exists inside the attachment.

MSFCS does not detect any threats in those emails (Real Tiime Protection is on).

If I run a manual scan, the result is the same: No threats.

I decided to send a sample to Microsoft Malware Protection Center.
They answered:

If you were to scan the files you submitted using Microsoft's Forefront Client Security product, you would      see relevant detection information similar to what is displayed below.
The detection results for the file(s) in your submission are as follows:
Submitted Files
=============================================
B0001714884-nws1.msg [Trojan:Win32/Oficla.E]
+---(part0002_module.zip) [Trojan:Win32/Oficla.E]
+---utility.ex_ [Trojan:Win32/Oficla.E]

I checked my MSFCS setup and everything seems to be ok.
     Real time protection is on.
     Antivirus definition version is 1.71.26.0
     Check for updated definitions before scanning is checked.
     Scan the contents of archived files and folder for potential threats is checked.
I checked and both the Antimalware and State Assesment services are running.

The emails are being filtered by my mail server as spam, so I have access to the original files.

The messages are in files with the .msg extention.

I copied them to a new folder and ran a manual scan again. MSFCS says there is no threat in any of the 13 files.

As you can imagine, this is worrying me, a lot.

Any ideas about what can be the problem?

Thanks,

msmpeng.exe causing bad builds for isdev.exe (InstallShield)

Wed, 18 Nov 2009 14:58:32 Z

My company recently replaced MacAfee AV with MS Forefront. Since that moment, whenever I try to build an install in InstallShield (using v7 or 2010), the resulting install gets corrupted so that when it runs it produces a -5006 error. If I add isdev.exe to the “Do not scan files accessed by these processes:” option or kill the antimalware component msmpeng.exe, the install builds and runs fine. It does not help if I use the “Do not scan these files or locations:” option as the antimalware component seems to ignore this option. Has anyone else experienced this issue? Is there any possibility that MS will change the antimalware component so that this will not occur?

Thanks - Gary Gavin

FCS slow removal?

Mon, 02 Nov 2009 05:57:28 Z

Hi,

We have FCS deployed in our network and recently we found a virus conficker. From the FCS log I can find that it took about 11-12 minutes for the FCS to take action:Remove. Please refer to the log below (in the log you can find 2 domain users, meaning on 2 different computers).

We wonder why it took a while for the FCS to take Remove action and it did not immediately take Remove action once it detects the virus. Kindly advise. Thank you.

Regards,

Januar

10/27/2009 10:39:55 PM 3005 Microsoft Forefront Client Security Real-Time Protection agent has taken action to protect this machine

from spyware or other potentially unwanted software.

For more information please see the following:

http://go.microsoft.com/fwlink/?linkid=37020&name=Worm:Win32/Conficker.B&threatid=2147618124

Scan ID: {76D6031E-8FAE-40F2-89C1-F5396A93205E}

User: Domain-name\domain-user1

Name: Worm:Win32/Conficker.B

ID: 2147618124

Severity: Severe

Category: Worm

Alert Type: Spyware or other potentially unwanted software

Action: Remove

10/27/2009 10:39:50 PM 3005 Microsoft Forefront Client Security Real-Time Protection agent has taken action to protect this machine

from spyware or other potentially unwanted software.

For more information please see the following:

http://go.microsoft.com/fwlink/?linkid=37020&name=Worm:Win32/Conficker.B&threatid=2147618124

Scan ID: {7762C745-71DB-45B2-A861-9AB93802F541}

User: Domain-name\domain-user2

Name: Worm:Win32/Conficker.B

ID: 2147618124

Severity: Severe

Category: Worm

Alert Type: Spyware or other potentially unwanted software

Action: Remove

10/27/2009 10:27:47 PM 3004 Microsoft Forefront Client Security Real-Time Protection agent has detected changes. Microsoft

recommends you analyze the software that made these changes for potential risks. You can use information about how these programs

operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the

software publisher. Microsoft Forefront Client Security can't undo changes that you allow.

For more information please see the following:

http://go.microsoft.com/fwlink/?linkid=37020&name=Worm:Win32/Conficker.B&threatid=2147618124

Scan ID: {5EBC84F0-DD38-41AA-BA83-B9E4C9EEDC19}

Agent: Application Registration

User: Domain-name\domain-user1

Name: Worm:Win32/Conficker.B

ID: 2147618124

Severity: Severe

Category: Worm

Path Found: file:C:\WINNT\tasks\At1.job;file:C:\WINNT\system32\uhcguem.sf;taskscheduler:C:\WINNT\tasks\At1.job

Alert Type: Spyware or other potentially unwanted software

Process Name:

Detection Type: Concrete

Status:

10/27/2009 10:27:39 PM 3004 Microsoft Forefront Client Security Real-Time Protection agent has detected changes. Microsoft

recommends you analyze the software that made these changes for potential risks. You can use information about how these programs

operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the

software publisher. Microsoft Forefront Client Security can't undo changes that you allow.

For more information please see the following:

http://go.microsoft.com/fwlink/?linkid=37020&name=Worm:Win32/Conficker.B&threatid=2147618124

Scan ID: {2D8E3473-C5DA-46D2-8C87-63E14B8F2EAB}

Agent: Application Registration

User: Domain-name\domain-user2

Name: Worm:Win32/Conficker.B

ID: 2147618124

Severity: Severe

Category: Worm

Path Found: file:C:\WINNT\tasks\At1.job;file:C:\WINNT\system32\uhcguem.sf;taskscheduler:C:\WINNT\tasks\At1.job

Alert Type: Spyware or other potentially unwanted software

Process Name:

Detection Type: Concrete

Status:

10/27/2009 10:26:48 PM 3004 Microsoft Forefront Client Security Real-Time Protection agent has detected changes. Microsoft

recommends you analyze the software that made these changes for potential risks. You can use information about how these programs

operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the

software publisher. Microsoft Forefront Client Security can't undo changes that you allow.

For more information please see the following:

http://go.microsoft.com/fwlink/?linkid=37020&name=Worm:Win32/Conficker.B&threatid=2147618124

Scan ID: {204EC5C2-0BBF-415B-95F2-251383DAD752}

Agent: On Access

User: NT AUTHORITY\SYSTEM

Name: Worm:Win32/Conficker.B

ID: 2147618124

Severity: Severe

Category: Worm

Path Found: file:C:\WINNT\system32\uhcguem.sf

Alert Type:

Process Name:

Detection Type: Concrete

Status: Suspend

Antivirus System PRO Infection could not be removed by MSFF client

Sat, 07 Nov 2009 03:06:05 Z

My computer got infected by Antivirus system PRO which every few minutes pushed porno pages on to the screen. I ran Microsoft forefront client security program installed on the laptop and it just showed my system is working fine. I had to google to find out how to manually remove the infected software and had to remove it the hard way. Does it mean that MSForefront is not good enough?

error code 0x80070643

Thu, 12 Nov 2009 06:26:02 Z

i can t install microsoft security essentials error code 0x80070643

is it a virus or malware?

Fri, 06 Nov 2009 10:24:15 Z

hey guys hope you all ok. am kindly asking, is "desktop .ini" a virus or malware? its been on my pc for ages. i have tried to remove it but it still comes back. my pc is advent 5712 and the anti virus that i have is avg. kindly help please and thanks in advance

why those options not included at FCS

Sat, 28 Mar 2009 12:16:49 Z

i wonder if can i confute FCS to take action as
if detect Virus/spyware so First action to clean then delete/quarantine

i don't need manual interaction response when malware detected
i need FCS to automatically clean any Infected files
why user must right click and chick smart clean or apply Action

any AV have this option, did MS not trust itself and need client to take action or FCS are not good enough to know Malware from false positive
where is shell integration and why when we ask about any AV option MS say at FCS v2,
MS should make a hot fixes for this or it will lose market because customer will not wait until their environment be infected.

waiting ur answer badly

TrojanDropper:Win32/Ilomo.C

Fri, 16 Oct 2009 15:01:25 Z

Anyone have a problem with this one? It keeps coming back again and again and again, well you get the idea.

And from the same list of computers. It reports it as Successfully Responded and then a couple of days later it will come back with the same message.

Then I get this

Source: Microsoft Forefront Client Security Threat ID = 2147621724
Name: Re-Infected Computer (Alert Level 5)
Description: Client Security has detected that the computer has been infected several times by the following threat:
            - Threat name: TrojanDropper:Win32/Ilomo.C
            - Window start time: 10/12/2009 12:10:00 PM
            - Window end time: 10/15/2009 12:10:00 PM
            - Reported infection instances: 4

This happens on computers that are doing nothing!! We have a computer that is used for scanning only and one day I received this same alert from this computer and no one was using it ??

Here are the details of the event

Microsoft Forefront Client Security Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Microsoft Forefront Client Security can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanDropper:Win32/Ilomo.C&threatid=2147621724
Scan ID: {ADC00520-598E-4BD5-AC81-2D4084B63624}
Agent: On Access
User: NT AUTHORITY\SYSTEM
Name: TrojanDropper:Win32/Ilomo.C
ID: 2147621724
Severity: Severe
Category: Trojan Dropper
Path Found: file:C:\WINDOWS\system32\2.exe
Alert Type:
Process Name:
Detection Type: Concrete
Status: Suspend

How could I track how it's getting in?

Thanks

"Windows PC Defender" Malware Not Detected

Mon, 21 Sep 2009 14:19:15 Z

I have a user who has managed to get infected with the Windows PC Defender malware.

She's running as a standard user, so I'm assuming the damage will be minimal. However, her machine is running the latest version of FCS with the latest definitions.

How is it that FCS allowed this software to install? And why, when I run a full scan of the system, is no malware detected?

I received a message from Skype saying that I had a serious issue that needed immediate attention

Fri, 10 Jul 2009 22:11:12 Z

Here is the message that I received "Impact of Vulnerability: Remote Code Execution / Virus Infection /
Unexpected shutdowns"

It told me to download a file immediately?

[4:47:12 PM] Scan Alert says: WINDOWS REQUIRES IMMEDIATE ATTENTION
=============================

ATTENTION ! Security Center has detected
malware on your computer !

Affected Software:

Microsoft Windows Vista
Microsoft Windows XP
Microsoft Windows 2000
Microsoft Windows Server 2003

Impact of Vulnerability: Remote Code Execution / Virus Infection /
Unexpected shutdowns

Recommendation: Users running vulnerable version should install a repair utility immediately

Your system IS affected, download the patch from the address below !
Failure to do so may result in severe computer malfunction.

http://www.securityreg.org/

For the link to become active, please click on 'Add to contacts' skype button or type it in manually into your web browser !

Please let me know what I should do and if I should get off of my computer immediately? I am very worried!!!

Worm:Win32/Conficker.B virus

Tue, 27 Jan 2009 14:06:12 Z

Hi All,

I have Worm:Win32/Conficker.B virus in my network, I have WSUS 3.0 deploy defintion+security+critial updates to all my clients and FCS managed by Forefront Managment Console.

I deployed Microsoft Removal Malicious Software Removal Tool last version to all my client via GPO.

The worm keep showing at clients that already removed the worm. The clients are fully update, AntiVirus-AntiSpyware definition - 1.49.2577.

How to remove the worm completely from my network?

Thanks.

softsafeness virus

Mon, 14 Sep 2009 20:40:01 Z

softsafeness has invaded mywindows security center on my vista computer can't remove it. can anyone give me some help.

Conficker.B - Where to find threat Source?

Thu, 30 Jul 2009 18:15:06 Z

How do I determine the threat source that is attacking other computers? McAfee will report the "threat source", which makes dealing with an issue much easier. I have not been able to find the "threat source" data in Forefront. Can anyone shed some light on where to find the "threat source" data in Forefront.

As you all probably know, this is critical information for fighting outbreaks.

first windows installer pops up then microsoft.net framework then they stay in middle of frame

Mon, 31 Aug 2009 04:06:15 Z

stop shoving updates i don,t want doun my throat

Supported topologies for FCS SP1

Wed, 26 Aug 2009 18:40:27 Z

Hello Team,
I have a quick question. In the product documentation, there are six supported configurations listed. We have decided to go with a three server configuration with the management server on one server, the distribution server on a WSUS server, and the remaining roles and databases on a seperate SQL server. Is this a supported configuration?
LC-J

Seek App discovered on one system - not detected by FCS

Fri, 28 Aug 2009 17:56:33 Z

We recently discovered a virus on one of our XP systems called Seek App. The filename on the system was seekapp149.exe and it was attached to IE. It appears to be the same as this

http://www.threatexpert.com/report.aspx?md5=f74708da4f2d06c8114b1077f957dc68

Is there a way to add this one to the FCS defs?

Orange County District Attorney

Red X will not go away!

Wed, 19 Aug 2009 21:12:09 Z

Good day!

Forefront Managed Systems
Full Scans once a week. No Quick Scans.
No End User Access (locked down)
Fully Managed by System Admin
Virus detected- Icon turned from green check mark to Red X.
Red X will not clear up. Been about a week now.

Anything I can do besides editing the Policy and giving End Users access to Forefront settings?
I was under the assumption this would automatically clear up (automatically Smart-Clean).

Regards-

Andrew

I have vista-getting a pop-up that w32.paysee.c has infected my computer. Personal virus icon is viewed I cannot delete it.

Sat, 22 Aug 2009 10:04:12 Z

I have vista-getting a pop-up that w32.paysee.c has infected my computer. Personal virus icon is viewed I cannot delete it.

Do not know what to do...

How do I learn if and when Forefront definitions will catch a particular virus threat?

Fri, 14 Aug 2009 15:22:26 Z

One of my technically astute AutoCAD engineers forwarded a link from Webroot about an AutoCAD specific vulnerability.

http://blog.webroot.com/2009/07/01/autocad-adware-trojans-target-techies/

We are using Forefront 1.0sp1 for our client machine malware and virus protection. How can I determine if Forefront will protect against this threat? And if so, which definitions do I need? Although this issue hasn't arisen for me before I can imagine a boss wanting to see proof that a specific product protects against a specific threat.

Any pointers would be appreciated.

-Mike Tanis

Exploit MDAC ActiveX code execution (type 183) and JS/Downloader.Agent

Mon, 10 Aug 2009 06:11:47 Z

I was surfing on the web and AVG notified me of the following malware:

Exploit MDAC ActiveX code execution (type 183)
JS/Downloader.Agent

What are these and how can I get rid of them? AVG had no options in the results column of Web Shield.

Thank you!

Forefront made nothing with gadislugu virus

Tue, 11 Aug 2009 16:55:58 Z

HI, everybody, my computer has a gadislugu virus but forefront not make nothing about it. Why?

Forefront doesnt clean virus W32.Bancos in some instances

Tue, 04 Aug 2009 07:06:08 Z

Hi I am having trouble with forefront client cleaning bancos virus. It doesnt seem to clean it successfully across all machines. given below info from MOM

Severity: Security Issue
Maintenance Mode: False
Domain:
Computer:
Time Last Modified: 8/2/2009 1:20:30 PM
Resolution State: New
Time in State: 8/2/2009 8:43:39 AM
Problem State: 0
Repeat Count: 3
Name: Malware on Network - Failed Response (Alert Level 2)
Source: Microsoft Forefront Client Security Threat ID = 2147627172
Ticket Id:
Owner:
Description: Client Security failed to eliminate the following threat:
- Threat name: TrojanSpy:Win32/Bancos.OH
- Attempted action: Remove

        The antimalware engine on the client computer returned the following:
            - Error code: 0x80508024
            - Error message: To finish removing spyware and other potentially unwanted software, you need to run a full scan. For information about scanning options, see Help and Support.

        To investigate and resolve this incident:
            1. Learn about the threat and its mitigation. Consult the Microsoft Malicious Software Encyclopedia:
                 http://go.microsoft.com/fwlink/?linkid=37020&name=TrojanSpy:Win32/Bancos.OH
            2. Identify computers infect with this malware. Consult the Malware Detail Report:
                tab.
Time of Last Event: 8/2/2009 1:20:29 PM
Time Raised: 8/2/2009 12:43:37 PM
Alert Id: bd634331-b0be-40c1-bea1-ab35d3ac6d83
Rule Id: 2182f53c-a676-478d-a758-9280b908e181
Rule Name: Malware on Network - Failed Response (Alert Level 2)
CustomField1: Microsoft Forefront Client Security
CustomField2: Threat
CustomField3: 2147627172
CustomField4:
CustomField5:
Time Added: 8/2/2009 12:43:39 PM
Time of First Event: 8/2/2009 12:43:37 PM
Time Resolved:
Resolved By:
Modified By: NT AUTHORITY\NETWORK SERVICE
Computer Custom Data 1:
Computer Custom Data 2:
Maintenance Mode End:
Maintenance Mode User:
Maintenance Mode Reason:

No other way?

Mon, 20 Jul 2009 19:26:26 Z

Here is my current policy setup with regards to the area i'm wondering about.

Client Options:
users can view all client security agents and settings
only administrators can change client security agent settings

Currently my domain account is a local admin on my machine. When I run a test scan and it detects I have an option of what I want to do with the alert (remove, ignore etc) which is great. Us admins should be able to choose what they want to do

On a regular users machine (where they are only power users) the same scan will only result in the tray icon turning orange (and appropriate event logged in the event viewer), and they cannot access the gui..nor does the program seem to do anything with the infected file. It's still in the directory I put it in. This is not good at all. Can there not be a default action put in place? As per the ballon tip on the client machine..."A system administrator manages Microsoft Forefront Client Security for all users on this computer. The program will notify you to take actions only if malicious software is detected"

And it certainly doesn't. HELP!

My HP Media Center PC with vista has odd behavior: destroys usb drive, crashes computer

Thu, 14 Aug 2008 15:20:44 Z

I have a serious problem: my computer is destroying itself!

It all started when I ran pinnacle studio 8 installation in compatability mode for windows xp service pack 2. After that, Windows Media Center Receiver Service Started Crashing. Then RunDLL32 windows host process. And then COM Surrogate. The last one it started crashing was Windows DVD maker. For A while I didn't Know why. Then I discovered it was Pinnacle and it was using AVI files (I'm not kidding, AVIs) to crash programs. I immediatelly probed my system for anytyhing with the name pinnacle or AVI and deleted it.

Here's where I was REALLY stupid. I found the LAST pinnacle files in my PC . As I ran the uninstaller, I noticed its name was UNWISE. I Ignored it.I got rid of all the pinnacle files, but it still crashed those programs!
And JUST when I thought it couldn't get ANY worse, I put in a USB device. As SOON as I took it out , the screen changed To blue and it said

Start process: minidump

Dumping Physical Memory

IMMEDIATELY I cut the power to the PC, took out the USB port, And turned on the PC. Fine.
THEN IT SAID:(in a window)

Windows has recovered from an unexpected Shut Down.

I clicked "More Details"

The name of the program: BlueScreen.

AAAAH! The Blue Screen Of Death!

I Put in my USB device Again and took it out. Nothing happened. LITERALLY!

MY DRIVE WAS DESTROYED!

If anybody could help me out I'd really appreciate it

-ComputerHamster

Can printing launch a virus?

Thu, 04 Jun 2009 23:53:26 Z

I was sent an email stating it is possible to launch a virus by only printing something off the internet. There are no details to pass on from this statement. Am I wrong when I say it is not possible without opening an attachment?

Question for the Product Team :-)

Wed, 07 May 2008 14:33:49 Z

Hello guys and girls,

A quick question, we are working with a customer and quite close to displacing one of our competitors for their client AV solution however at a meeting yesterday the client raised and interesting question that I did´nt have an answer too.

Do you have an application capable of detecting Kernel Mode rootkits? or are you working on something to that effect?

As I understand it, the only way of doing this would be from outside the OS, either a bootable CD or pre installed app capable of booting up in a linux / winPE etc. environment. Other AV vendors have this kind of solution for example McAfee previousley had Cleanboot and now prescan and the command line scanner package that is included in Hirens boot cd etc... the good thing about prescan is that it allowed a simultaneous reboot and then scan of entire groups or even the whole network from the management console, usefull for an outbreak if you want to make sure all machines are clean before you bring your network back up.

It could also be usefull to have this for peace of mind, as I asume this would give it greater accuracy and less problems as no services / processes could be loaded..

thanks for your time

Uninvited Virus Removal 2009 program has been detected, trying to remove all traces

Wed, 01 Apr 2009 06:39:05 Z

I've heard about this Confiker malware and just had McAfee alert re: Virus Removal 2009 program has been detected as malware, I instructed McAfee to remove. Fearing possibly damage has been done, still trying to remove all traces. When I went to control panel it wouldn't uninstall, only removal. Adaware & McAfee scanned and found nothing. Performed search, found vrm2009.exe-02B553A6.pf Is this file worm/malware corruption? Pls identify if it's necessary to delete this file? At this moment am performg full scan at safety.live.com.
Any suggestions in basic laymen's terms please is appreciated.

Forefront Client Security and Malicious software Removal Tool

Thu, 09 Apr 2009 11:58:54 Z

Hello all,

I understand the purpose of MSRT is to remove infections from computers as opposed to Forefront pre-empting the infection. What I’d like to understand is, if Forefront is unable to remove a malware, is there any point in running MSRT in an attempt to remove the malware?. Does MSRT do any additional tasks or have a different definitions list?

Many thanks

Howard

How to Exclude network Drive Scanning in FCS

Wed, 13 May 2009 10:54:41 Z

The FCS starts to scan network drives once the scan in initiated through the FCS policy. There is no option to select/deselect the network drives scan in FCs policy ?

I have a Worm_strat/gen3 and cant figure out how to get rid of it

Tue, 05 May 2009 20:44:41 Z

I have tried various tools, malware when I use this i get the blue screen of death, I have used windows live one care and it doesn;t get rid of it. I also tried to use spybot and again it gives me the blue screeen. Does anyone know how I can get rid of this??
The error message i get is Potential Threat detected Worm_Strat.Gen3 C/system Volume Information restore and lots of #s . I tried to do a system restore to a point previous to getting the error message and i can;t complete one. HELP

Thanks

Microsoft DONT KNOW HOW TO RESPONSE MALWARE THREATS

Thu, 28 Aug 2008 17:33:52 Z

Hi we deploy Forefront Client Security on aproximatly 6500 computers.

All de process is easy winth scripts or WSUS or both. At this moment we have a treath
with the Virus:Win32/Sality.AM and Worm:Win32/Sality.AM and a lot of other malware.
The malware causes files infection, reg keys deletion, FCS corruption.

We call to MS Support with the case SRX080826600424 anh they said us "FCS reports
was determined that the FCS client anti-malware files were older than the most current versions
available" They built a hotfix (KB956280 – 1.5.1958.0) and after subsequent scans detected and
removed the malware.

Now all the computer pre-cleaned has the virus again. (Reinfected)

We call partners or another companies and they have removed FCS

In summary Microsoft DONT KNOW HOW TO RESPONSE MALWARE THREATS and they just say "If FCS
does not detect the malware please submit it (https://www.microsoft.com/security/portal/submit.aspx)"
and the Management Consoles (MOM or FCS MC) dont help on this cases.

FCS could be integred on Enterprise Agreement but is not the better solution. Maybe on a few years with Forefront codename "Stirling"

I Speak Spanish.. so my english is not perfect.

H1R@M

bugs.tmp

Sat, 04 Apr 2009 10:52:18 Z

Doing "cleanup disk" with Acronis, and found two bugs Acronis can't fix "~DF5063.tmp" and "~DF94F1.tmp". I can run "CHKDSK" but am unable to use /f or /r, "hpcommgr" butts in and I can't close session without cancelling /f and /r. In Securties>Internet Properties>Advanced tab>Phishing (has yellow exclamation mark) in expanded the "turn on auto website checking" is checked. My system is XP Pro-HP 1125a-one Gig-3.20GHz. I have PC TOOLS-MAX SECURE REG CLEANER-SPYWARE DETECTOR. Everything seems to work well, but it takes a long (longer than usual) time to boot up, and turn off. If I could get some help with this it would make me smile, cause I know someone is looking over my shoulder.

Virus Detection with out-of-date signatures\definition updates.

Sun, 29 Mar 2009 05:10:26 Z

What happens when a virus is detected and Forefront Client Security doesn't have the updated signature for that infection?
Does it go into Quarantine?
(Specifically for AntiMalware)

worm:win32/hamweq!inf

Tue, 03 Mar 2009 17:24:27 Z

Hi, I have a problem with the above mentioned virus. Forefront detects it and also "cleans" it, but not properly. I clean my flashdisk\thumbdrive but once I stick it back into my PC it gets reinfected. I have updated to today's definition file but it is no good. This particular virus cannot infect Vista machines, but it seriously attacks XP. I do not know what to do. Forefront picks it up over and over again and says it cleaned it succesfully but the virus just stays. I have disabled System Restore to no avail. Stinger from Mcafee also does'nt even detect it, but then again I have never seen it pick up anything before in my life. Please help as I was the one that pushed the client to get Forefront as I had faith in the product.

skp66.exe

Sat, 18 Oct 2008 03:17:04 Z

hi guys do you have some advise in removing skp66.exe

thanks

Forefront Client vs Antivirus XP 2008

Wed, 08 Oct 2008 06:24:27 Z

Hi,

In my company we use Forefront Client as the main anti-virus/anti-malware tool for our windows xp clients.

Unfortunately, some of these clients got infected by the Antivirus XP 2008 spy/malware even though they had the Forefront client installed and updated.

Does anyone else have this problem that Forefront does not protect the client from being infected by this specific virus or are we doing something wrong in our security policy?

Regards,

Mark

FCS don't remove Backdoor:Win32\Agent.CR from Win32l.dll

Sun, 15 Feb 2009 23:39:24 Z

Hi,

I'm having problems removing Win32\Agent.CR from Windows\System32\Win32l.dll (Windows 2003 Server) with Forefront Client Security.

It is classified as a backdoor and risk as Severe.

If a choose SmartClean button it saids that it needs to restart the server because to remove it. But after restart, if I scan, it is there again.

I used tasklist to identify the program that is using it. It is msiexc.exe.
I killed the process at task manager and try it again. It seams to remove it. But if I restart the server and scan again. Yes, it is there again!

How can I remove it? Could it be a false positive?

Thanks,
Pedro Gonçalves

Removed VUNDO worm. Now Automatics Updates service will not start

Wed, 04 Mar 2009 17:51:16 Z

Automatic Updates service and BITS service will not start. Get a message from both:
Could not start (either above) server on local computer. Error 2: The system cannot find the file specified.

These began after cleaning out the VUNDO worm. These services are not running. How do I repair them to run?

Forefront Client Security hits positive on Mailfrontier-SonicWall email security tmp file

Wed, 22 Oct 2008 00:06:13 Z

Hello,

Forefront Client Security is finding a virus in a temp folder on my Windows Server 2003 - Standard, running Mailfrontier sonic wall email security here:

"Path Found: file:C:\WINDOWS\Temp\kp19A3.tmp"

and identifying a process as running it, that is located here:

"Process Name: C:\Program Files\MailFrontierEG\PluginDefault\policy\verity\bin\kvoop.exe"

SonicWall ask that "C:\Program Files\MailFrontierEG\" be excluded from virus scans. Recently Forefront has been finding this virus in the temp folder, and it never has done that before.

Is this proper practice for SonicWall Email security to temporarily store a virus in the temp folder while it deletes it? Or is this a possible vulnerability? Has anyone else seen anything like this on thier email virus scanning servers?

Thanks,

Dan

== Actual alert - I have received 5 of these in the last 24hrs ==

10/21/2008 1:11:17 PM•3004• •Microsoft Forefront Client Security Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Microsoft Forefront Client Security can't undo changes that you allow.

For more information please see the following:

http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Wantvi.I&threatid=2147607438

Scan ID: {F51F682C-85C4-40F4-BD46-7C761EF29F8E}

Agent: On Access

User: NT AUTHORITY\SYSTEM

Name: Trojan:Win32/Wantvi.I

ID: 2147607438

Severity: Severe

Category: Trojan

Path Found: file:C:\WINDOWS\Temp\kp19A3.tmp

Alert Type:

Process Name: C:\Program Files\MailFrontierEG\PluginDefault\policy\verity\bin\kvoop.exe

Detection Type: Concrete

Status: Suspend ••

False Positive?

Fri, 06 Feb 2009 14:11:53 Z

Hi,

I'm the SMS admin as well as one of the FCS admins. I'm setting up a push for a Ascent upgrade to a couple hundred workstations when FCS reported Trojan:Win32/Delfsnif.C in a file called MSIcleanup.exe that was temporarily extracted from the MSI that I'm installing from.

Any thoughts? I'll also be contacting the vendor today as well.