locked
Hotbar false detection? RRS feed

  • Question

  • We're getting widespread reports of Hotbar being found but it appears that it's tagging its own delta siganture??

    When we look in the path the listed file is already gone. History on the client doesn't record it though the event log does. Signatures at the time were 1.109.66.0. Are we looking at a false detection? Example:

    Event Type: Warning
    Event Source: FCSAM
    Event Category: None
    Event ID: 3004
    Date:  7/21/2011
    Time:  1:04:50 PM
    User:  N/A
    Computer: FFMS
    Description:
    Microsoft Forefront Client Security Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer.  Allow changes only if you trust the program or the software publisher. Microsoft Forefront Client Security can't undo changes that you allow.
     For more information please see the following:
    http://go.microsoft.com/fwlink/?linkid=37020&name=Adware:Win32/Hotbar&threatid=6204
      Scan ID: {8A7BAC84-4420-4894-8A1B-5CA5BAFDD44B}
      Agent: On Access
      User: NT AUTHORITY\SYSTEM
      Name: Adware:Win32/Hotbar
      ID: 6204
      Severity: Medium
      Category: Adware
      Path Found: file:C:\WINDOWS\Temp\E8D2D12E-8D99-4590-9107-0C55E2301E07-Sigs\738F9DB5-90F6-48D3-87D1-6499573782CDmpasdlta.vdm.old.temp
      Alert Type: Spyware or other potentially unwanted software
      Process Name: C:\WINDOWS\system32\MpSigStub.exe
      Detection Type: Concrete
      Status: Allow

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Thursday, July 21, 2011 7:27 PM

Answers

All replies

  • This is happening to me also and is a known issue - http://social.technet.microsoft.com/Forums/en-US/FCSNext/thread/6689cd09-de3d-47ef-8d22-936c4dcc2372

    MSFT supposedly working on a fix.

    Thursday, July 21, 2011 7:31 PM
  • Thanks for the info, I see there's a post in that link that just showed up saying updating a second time will correct it. That's really not a good answer as the alert is still being seen by the clients and of course they generate questions. I just declined that particular signature in WSUS to avoid it from going out to thousands more. The next signature should be good, we'll see when it gets released.


    Johnny G. Joswiak IS Technical Services The University of Texas Medical Branch
    Thursday, July 21, 2011 9:01 PM