Windows 8.1 update with KB2894853

some workstations (10.1) detected virus in windows update this afternoon.  thx.

 

Date: 2014-03-12  16:38:29+08:00

Host: xxxxxxxxx

Computer name: xxxxxxxxxxx

User account: SYSTEM

Product: F-Secure Anti-Virus (OID: 1.3.6.1.4.1.2213.12)

Severity: security alert (5)

Message: Malicious code found in file C:\Windows\WinSxS\Temp\PendingRenames\af468071ce3dcf0172000000d810f816.x86_windows-defender-nis-service_31bf3856ad364e35_6.3.9600.16452_none_b2b0d59e2e728367_nisipsplugin.dll_8f755bb5.

Infection: Gen:Trojan.Heur.fu!@xuJXcqli

Action: The file was quarantined.

Answers

  • BenBen Posts: 2,640

    HI Twong,

     

    Thanks for the report. Could you please submit the sample to our lab so that we can investigate this detection further.

    https://analysis.f-secure.com/portal/login.html

     

    Provide the subscription ticket(TXXXXXX) via private message for follow up.

  • TWONGTWONG Posts: 16

    i cannot find the file in the computer.

     

    i tried to download the KB2894853 from Microsoft but the download file is OK.

     

    Now more than 10 workstations detected the infection.

  • BenBen Posts: 2,640

    HI Twong,

     

    You can try and use the unquar tool to retrieve the quarantine file at the origin of the detection. 

     

    However be sure to take precautions handling potentially dangerous files.

    Make sure you are restoring the correct files from the quarantine. There is a chance that the quarantine contains malware and you might risk real infection by releasing these items. 

  • etomcatetomcat Posts: 1,312

    Hello,

     

    I think this situation illustrates a problem with F-Secure products.

     

    The text of virus alert says filename "XYZ" was quarantined because of malware "PQRS" infection. However, the alerts fails to say the file in quarantine has MD-5 or SHA-1 checksum "123456ABCDE".

     

    Because of this, everybody has a more difficult job trying to find out if the alert is about a real virus or a false positive. It would be so much easier to have MD5 or SHA1 info handy, which can be queried on the "virustotal.com" website.

     

    (File names can change easily and virus names mean almost nothing, because malware taxonomy has never been standardized among the antivirus vendors. The only tangible info would be cryptographic hash checksums, which F-Secure malware alerts fail to provide. Please correct this issue in FSAV 11.52!)

     

    Best regards: Tamas Feher, Hungary.

This discussion has been closed.