locked
FCS not removing Tupym.A and Tupym.A! RRS feed

  • Question

  • Hi, we are seeing lots of infections of Tupym.A and Tupym.A! at our company. The two identified files that Forefront Client Security detects and cleans are system_3.exe and autorun.ini, located on the user desktop. These are not removed by FCS, despite them being detected and receiving a 'successfully cleaned' message. Definitions are up to date.

    The only way I am able to remove this is to use MalwareBytes Anti-Malware which detects the same two files, and also a reg key @ HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Yahoo Messengger (Forefront is not detecting this). Unfortunately because so many machines are infected, as soon as the machine connects again to an infected share, it is infected again.

    I have submitted the malicious files to Microsoft already in case they have evolved or changed but have been told the latest definitions will remove these files. Is anyone else seeing this issue? At the moment it is a big problem for us, as it is infecting and spreading via NTFS shares, and we are unable to manually clean the machines quickly enough.

    Wednesday, January 8, 2014 8:36 AM

Answers

  • Dear all,

    Thank you for the responses. In the end a Premier call was raised and I submitted the files again to the person working the case. The files were added to the definitions and are now successfully cleaning the machines.

    We will be pushing SCEP 2012 as soon as our environment is ready.

    Thanks again
    Rob

    • Marked as answer by Quan Gu Tuesday, January 14, 2014 2:16 AM
    Monday, January 13, 2014 11:21 AM

All replies

  • Hi,

    Unfortunately, i think we need to wait for MS updates, this is not related to configuration. Addtionally, FCS is too old, why not try to deploy FEP 2010 or SCEP 2012.

    Best Regards

    Quan Gu

    Thursday, January 9, 2014 3:31 AM
  • Hi Dave,

    I am with the anti-malware team. Would you please try to select (or set policy) to explicitly remove and not clean/quarantine this threat and let me know how that goes? Also, could you give me the submission ID for the files you submitted? I would like to take a look at them myself. Thanks!

    Friday, January 10, 2014 2:25 AM
  • Dear all,

    Thank you for the responses. In the end a Premier call was raised and I submitted the files again to the person working the case. The files were added to the definitions and are now successfully cleaning the machines.

    We will be pushing SCEP 2012 as soon as our environment is ready.

    Thanks again
    Rob

    • Marked as answer by Quan Gu Tuesday, January 14, 2014 2:16 AM
    Monday, January 13, 2014 11:21 AM