locked
Malware event not reported RRS feed

  • Question

  • Hi

     

    This morning, a user reported that their FCS icon had turned red after a scan yesterday.  When I checked the FCS server console, it didn't show any malware in the summary, but when I looked in the Events section of the "Computer Detail" report for that PC, I found this event:

     

    21/04/2008 10:15:53 1006  Microsoft Forefront Client Security scan has detected spyware or other potentially unwanted software.
    For more information please see the following:
    http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Vundo.gen!D&threatid=2147602644
    Scan ID: {4579CF6D-34F0-4591-AE07-28E42A94016D}
    Scan Type: AntiMalware
    Scan Parameters: Full Scan
    User: NT AUTHORITY\NETWORK SERVICE
    Name: Trojan:Win32/Vundo.gen!D
    ID: 2147602644
    Severity: Severe
    Category: Trojan
    Path Found: processStick out tongueid:1060
    Detection Type: Generic 

     

    And later events, today:

     

    22/04/2008 08:31:59 3004  Microsoft Forefront Client Security Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Microsoft Forefront Client Security can't undo changes that you allow.
    For more information please see the following:
    http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Vundo.gen!D&threatid=2147602644
    Scan ID: {2FC93488-AF4E-486E-8107-7C23A7FE5CDE}
    Agent: On Access
    User: \
    Name: Trojan:Win32/Vundo.gen!D
    ID: 2147602644
    Severity: Severe
    Category: Trojan
    Path Found: file:C:\Program Files\Skype\Phone\Skype.exe
    Alert Type:
    Process Name:
    Detection Type: Concrete
    Status: Allow 


    22/04/2008 08:31:58 3004  Microsoft Forefront Client Security Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Microsoft Forefront Client Security can't undo changes that you allow.
    For more information please see the following:
    http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:Win32/Vundo.gen!D&threatid=2147602644
    Scan ID: {080A2688-A3A6-4B80-ABFD-2D3A5F3421B8}
    Agent: On Access
    User: XXX\YYY (real data removed)
    Name: Trojan:Win32/Vundo.gen!D
    ID: 2147602644
    Severity: Severe
    Category: Trojan
    Path Found: processStick out tongueid:308
    Alert Type: Spyware or other potentially unwanted software
    Process Name:
    Detection Type: Generic
    Status: 

    So it appears there is an infection, although it may prove to be a false positive.  Anyway, I would have expected this to have been visible at the console "Reporting Critical Issues" or at least "Malware detected" as well as in the more detailed reports.  As far as I'm aware, I haven't changed anything in this regard from the default set up.

     

    Any help appreciated.


    David

    Tuesday, April 22, 2008 4:53 PM

All replies

  • It seems that Skype.exe was identified as a trojan by mistake. See this: http://www.news.com/8301-10789_3-9926921-57.html for example.

     

    Friday, April 25, 2008 8:43 AM
  • Thnaks for the link - that explains what cuased the alert.

     

    Though I'm still uncertain about how/whether this was supposed to be reported in the console & reports.  The only reason I knew about it as an administrator was the user telling me they had a red Forefront icon, and I dug down to find the event.  I've tried increasing the alert level from 3 to 5, but it seems to me that at level 3, I should have seen the malware alert in the console.

     

    David

    Monday, April 28, 2008 8:45 AM