locked
FCS detected SCOM file as Win32/CVE-2011-0658 RRS feed

  • Question

  • Yesterday (June 16th), we received an alert that one of our machines was infected with Win32/CVE-2011-0658.  In checking the details, the file that was quarantined is: C:\Program Files\System Center Operations Manager 2007\Health Service State\Health Service Store\edb.chk

    I checked the definition date and the definition for this infection was released on June 15th.  We are now seeing multiple computers infected, both Windows 7 and XP.  Has anyone else seen this behavior before, where FCS detects SCOM files as infected?  Can anyone help me determine if there really is an infection here?

    Here are the infection details:
    ----------------------------------
    Microsoft Forefront Client Security Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer. Allow changes only if you trust the program or the software publisher. Microsoft Forefront Client Security can't undo changes that you allow.
    For more information please see the following:
    http://go.microsoft.com/fwlink/?linkid=37020&name=Exploit:Win32/CVE-2011-0658&threatid=2147646548
    Scan ID: {3CF6197D-7AE5-4AAB-8993-792F5D45AC87}
    Agent: On Access
    User: NT AUTHORITY\SYSTEM
    Name: Exploit:Win32/CVE-2011-0658
    ID: 2147646548
    Severity: Severe
    Category: Exploit
    Path Found: file:C:\Program Files\System Center Operations Manager 2007\Health Service State\Health Service Store\edb.chk
    Alert Type:
    Process Name: C:\Program Files\System Center Operations Manager 2007\HealthService.exe
    Detection Type: Heuristics
    Status: Suspend

    Friday, June 17, 2011 3:29 PM