FCS detected SCOM file as Win32/CVE-2011-0658

• 2011년 6월 17일 금요일 오후 3:29

   

   
  

  0

  Yesterday (June 16th), we received an alert that one of our machines was infected with Win32/CVE-2011-0658.  In checking the details, the file that was quarantined is: C:\Program Files\System Center Operations Manager 2007\Health Service State\Health Service Store\edb.chk
  
  I checked the definition date and the definition for this infection was released on June 15th.  We are now seeing multiple computers infected, both Windows 7 and XP.  Has anyone else seen this behavior before, where FCS detects SCOM files as infected?  Can anyone help me determine if there really is an infection here?

  Here are the infection details:
  ----------------------------------
  Microsoft Forefront Client Security Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Microsoft Forefront Client Security can't undo changes that you allow.
  For more information please see the following:
  http://go.microsoft.com/fwlink/?linkid=37020&name=Exploit:Win32/CVE-2011-0658&threatid=2147646548
  Scan ID: {3CF6197D-7AE5-4AAB-8993-792F5D45AC87}
  Agent: On Access
  User: NT AUTHORITY\SYSTEM
  Name: Exploit:Win32/CVE-2011-0658
  ID: 2147646548
  Severity: Severe
  Category: Exploit
  Path Found: file:C:\Program Files\System Center Operations Manager 2007\Health Service State\Health Service Store\edb.chk
  Alert Type:
  Process Name: C:\Program Files\System Center Operations Manager 2007\HealthService.exe
  Detection Type: Heuristics
  Status: Suspend

  • 응답
  • 인용