locked
Forefront Does Not Detect Trojan.FakeAlert RRS feed

  • Question

  • Forefront Client Security does not detect Trojan.FakeAlert, does not quarantine it, and does not remove it.  This is not a new virus, this is an old trojan that's been around a while.  Sure wish FCS would detect, quarantine, and remove it.
    Dave
    Thursday, January 13, 2011 11:06 PM

Answers

  • Hi,

    Thank you for the post.

    As I am not sure whether this threat is part of our FCS signature or not. if you have a sample of this threat, please submit the malicious file to: https://www.microsoft.com/security/portal/Submission/Submit.aspx

    Once get the sample file, our antivirus team will analysis this. If the analysis is that the software is malicious, they can then add detection for this threat.

    Thanks for your cooperation.

    Thanks,

    Miles

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Miles Zhang Monday, January 17, 2011 1:58 AM
    Friday, January 14, 2011 8:53 AM

All replies

  • Hi,

    Thank you for the post.

    As I am not sure whether this threat is part of our FCS signature or not. if you have a sample of this threat, please submit the malicious file to: https://www.microsoft.com/security/portal/Submission/Submit.aspx

    Once get the sample file, our antivirus team will analysis this. If the analysis is that the software is malicious, they can then add detection for this threat.

    Thanks for your cooperation.

    Thanks,

    Miles

     


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Miles Zhang Monday, January 17, 2011 1:58 AM
    Friday, January 14, 2011 8:53 AM
  • The pest places itself at C:\Users\<username>\AppData\Local\Temp\<foldername>\pghrbralajb.exe

    The pest will generate a random letter foldername.  In the latest instance of the infection by one of the computers I maintain the foldername was xyhnkurcv.  I suspect the exe file name is random generated also.  The next infection I encounter I will submit a sample.  Thank you very much for the quick reply.


    Dave
    Friday, January 14, 2011 2:46 PM
  • The following registry keys will be created:

    HKEY_CURRENT_USER\SOFTWARE\qnpn7rjv93lf

    HKEY_CURRENT_USER\SOFTWARE\yr87fk3d2dnszapq2

    HKEY_CURRENT_USER\Software\qni8hj710fdl

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\xykwdjtn            -> Value: xykwdjtn

    Thank you,


    Dave
    Friday, January 14, 2011 3:13 PM
  • Hi Dave,

    Please submit the malicious file to: https://www.microsoft.com/security/portal/Submission/Submit.aspx

    Thanks,

     Miles


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, January 17, 2011 1:57 AM
  • Hi Miles,

    I removed the pest with Malware Bytes free AntiMalware product.  When another machine becomes infected with this pest I will submit the malicious file to the link above. 

    Thanks,


    Dave
    Tuesday, January 18, 2011 2:31 PM
  • Hi Miles,

    I submitted 3 files today from a virus infestation that Forefront Client Security did not detect, quarantine, and remove.  I hope this helps in making the product better.

    Thanks,


    Dave
    Wednesday, January 19, 2011 5:54 PM
  • Over a month later, and FCS STILL isn't detecting this. I cleaned the computer that had it before seeing this thread, but an update as to what is being done so that FCS detects this would REALLY be appreciated.
    Monday, February 14, 2011 9:42 PM
  • Hi Kari_marie,

    You might try this link for a pre-release signature and see if this helps.

    http://www.microsoft.com/security/portal/Shared/PreReleaseSignatures.aspx

    And you might give the Microsoft malicious software removal tool a shot at it also.

    Hope this helps you.

     


    Dave
    Monday, February 14, 2011 11:01 PM
  • This is insane as this virus is OLD and FF cant see it all over my network.  To bad when a free tool is better then MS.
    qtcameo
    Tuesday, June 7, 2011 10:09 PM
  • We're seeing the same issue.  Just in the last couple of weeks, we've been infected with several Trojans (including WinNT/Alureon.S, Win32/FakeSysdef, Win32/Alureon.CT), PWS:Win32/Zbot, Windows XP Recovery, that Forefront Client Security is unable to remove.  And in some cases Forefront Client Security is unable to detect.  According to the Microsoft Malware Protection Center web site, most if not all of these malware were initially detected by definitions updates from 2010.  We've had to use Malware Bytes to remove the malware.  Some computers are so infected, they had to be rebuilt.  Why is Forefront Client Security not detecting and/or not removing these malware?  We recently replaced Symantec and Trend with Forefront Client Security.     
    Thursday, June 9, 2011 2:47 PM
  • Yes, I know.  We've been fighting another round of viruses that Forefront hasn't detected or cleaned.  But the "big boss" insists on using it because it's a Micro$oft product.
    Thursday, June 9, 2011 4:03 PM