Windows 8.1 update with KB2894853

TWONG
TWONG Posts: 2 Observer
in Web Browsing

some workstations (10.1) detected virus in windows update this afternoon.  thx.

 

Date: 2014-03-12  16:38:29+08:00

Host: xxxxxxxxx

Computer name: xxxxxxxxxxx

User account: SYSTEM

Product: F-Secure Anti-Virus (OID: 1.3.6.1.4.1.2213.12)

Severity: security alert (5)

Message: Malicious code found in file C:\Windows\WinSxS\Temp\PendingRenames\af468071ce3dcf0172000000d810f816.x86_windows-defender-nis-service_31bf3856ad364e35_6.3.9600.16452_none_b2b0d59e2e728367_nisipsplugin.dll_8f755bb5.

Infection: Gen:Trojan.Heur.fu!@xuJXcqli

Action: The file was quarantined.

Like Awesome

Comments

  • [Deleted User]
    [Deleted User] Posts: 0

    HI Twong,

     

    Thanks for the report. Could you please submit the sample to our lab so that we can investigate this detection further.

    https://analysis.f-secure.com/portal/login.html

     

    Provide the subscription ticket(TXXXXXX) via private message for follow up.

    Like Awesome
  • TWONG
    TWONG Posts: 2 Observer

    i cannot find the file in the computer.

     

    i tried to download the KB2894853 from Microsoft but the download file is OK.

     

    Now more than 10 workstations detected the infection.

    Like Awesome
  • [Deleted User]
    [Deleted User] Posts: 0

    HI Twong,

     

    You can try and use the unquar tool to retrieve the quarantine file at the origin of the detection. 

     

    However be sure to take precautions handling potentially dangerous files.

    Make sure you are restoring the correct files from the quarantine. There is a chance that the quarantine contains malware and you might risk real infection by releasing these items. 

    Like Awesome
  • etomcat
    etomcat Posts: 147 Superuser

    Hello,

     

    I think this situation illustrates a problem with F-Secure products.

     

    The text of virus alert says filename "XYZ" was quarantined because of malware "PQRS" infection. However, the alerts fails to say the file in quarantine has MD-5 or SHA-1 checksum "123456ABCDE".

     

    Because of this, everybody has a more difficult job trying to find out if the alert is about a real virus or a false positive. It would be so much easier to have MD5 or SHA1 info handy, which can be queried on the "virustotal.com" website.

     

    (File names can change easily and virus names mean almost nothing, because malware taxonomy has never been standardized among the antivirus vendors. The only tangible info would be cryptographic hash checksums, which F-Secure malware alerts fail to provide. Please correct this issue in FSAV 11.52!)

     

    Best regards: Tamas Feher, Hungary.

    Like Awesome
This discussion has been closed.
Feedback on New Design

Categories