Malware event not reported

Tuesday, April 22, 2008 4:53 PMDavid Brazier

0
Sign In to Vote
Hi

This morning, a user reported that their FCS icon had turned red after a scan yesterday. When I checked the FCS server console, it didn't show any malware in the summary, but when I looked in the Events section of the "Computer Detail" report for that PC, I found this event:

21/04/2008 10:15:53 1006 Microsoft Forefront Client Security scan has detected spyware or other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Vundo.gen!D&threatid=2147602644
Scan ID: {4579CF6D-34F0-4591-AE07-28E42A94016D}
Scan Type: AntiMalware
Scan Parameters: Full Scan
User: NT AUTHORITY\NETWORK SERVICE
Name: Trojan:Win32/Vundo.gen!D
ID: 2147602644
Severity: Severe
Category: Trojan
Path Found: processid:1060
Detection Type: Generic

And later events, today:

22/04/2008 08:31:59 3004 Microsoft Forefront Client Security Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Microsoft Forefront Client Security can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Vundo.gen!D&threatid=2147602644
Scan ID: {2FC93488-AF4E-486E-8107-7C23A7FE5CDE}
Agent: On Access
User: \
Name: Trojan:Win32/Vundo.gen!D
ID: 2147602644
Severity: Severe
Category: Trojan
Path Found: file:C:\Program Files\Skype\Phone\Skype.exe
Alert Type:
Process Name:
Detection Type: Concrete
Status: Allow

22/04/2008 08:31:58 3004 Microsoft Forefront Client Security Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Microsoft Forefront Client Security can't undo changes that you allow.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Vundo.gen!D&threatid=2147602644
Scan ID: {080A2688-A3A6-4B80-ABFD-2D3A5F3421B8}
Agent: On Access
User: XXX\YYY (real data removed)
Name: Trojan:Win32/Vundo.gen!D
ID: 2147602644
Severity: Severe
Category: Trojan
Path Found: processid:308
Alert Type: Spyware or other potentially unwanted software
Process Name:
Detection Type: Generic
Status:

So it appears there is an infection, although it may prove to be a false positive. Anyway, I would have expected this to have been visible at the console "Reporting Critical Issues" or at least "Malware detected" as well as in the more detailed reports. As far as I'm aware, I haven't changed anything in this regard from the default set up.

Any help appreciated.

David
- Reply
- Quote

All Replies

Friday, April 25, 2008 8:43 AMDennis Kudin

0
Sign In to Vote
It seems that Skype.exe was identified as a trojan by mistake. See this: http://www.news.com/8301-10789_3-9926921-57.html for example.
- Reply
- Quote
Monday, April 28, 2008 8:45 AMDavid Brazier

0
Sign In to Vote
Thnaks for the link - that explains what cuased the alert.

Though I'm still uncertain about how/whether this was supposed to be reported in the console & reports. The only reason I knew about it as an administrator was the user telling me they had a red Forefront icon, and I dug down to find the event. I've tried increasing the alert level from 3 to 5, but it seems to me that at level 3, I should have seen the malware alert in the console.

David
- Reply
- Quote