Wednesday, 12 August 2009
The core problem seems to be a signature update from 31.6.6672 to 33.3.7051, there seems to be little consistency in what is being detected as a false positive although there are multiple occurrences of Nokia software, VNC and event DLLs and EXEs belonging to eTrust's core components.
Probably the best thing to do is block the update or change the Realtime scanning behaviour to "disabled" or "report only".
Update: problem seems to have started at about 0525 GMT when the new signature pattern applied. There no consistent pattern to the infected files, it looks like it happens at random. Several other people seem to be having the same issue!
Update 2: Signature pattern 34.0.6674 appears to fix this problem. You can then enjoy repairing your faulty machines.. thanks CA!
Update 3: Amusingly, CA eTrust seems to have deleted its own key components in many cases. I don't know if this is the first recorded case of an anti-virus application mistaking itself as malware!
Update 4: CA have released a statment as follows:
Last night, CA released a new updated antimalware engine. This new release has resulted in false positive detections of a number of files. CA Threat Manager customers are the only customers being affected by this issue. This is not a result of signature updates and does not impact CA consumer Internet security products.
To resolve the issue, CA has rolled back the new engine and re-released its previous antimalware engine. CA customer support representatives are on call to answer customer questions and to provide remediation support. A remediation tool to rename the quarantined files is now available through CA support and will soon be accessible online.
CA is aggressively working to resolve the issue, assist any customers who have been affected, as well as identify the root cause of the incident. We apologize for this inconvenience and look forward to the roll out of our new antimalware engine, which will ultimately offer our customers many benefits including enhanced malware protection and improved performance.
Update 5: Got a mention on El Reg.. funny thing is that I went in to work today wearing my El Reg T-Shirt. Coincidence? Consiparacy? Cockup?
PS: Please remember to read the comments if you are still having problems!
Friday, 20 February 2009
However, when having a poke at this it turns out that the current version is 31.6.6367 and 6361 is a few days old. A check of our distribution servers show that every single one of them worldwide failed to download version 31.6.6362 from the CA servers and fell over. This happened at around 2245 GMT on 17/2/09.
Log files are showing the following error: Error [0xc0010003] initializing redistribution job.
If you are running CA eTrust ITM, then it's worth checking that your signatures are up-to-date.
Tuesday, 27 May 2008
Detection rates are not good (VirusTotal results), and the real PestPatrol / eTrust product doesn't pick it up yet.
I strongly suspect that there's nothing good in the 126.96.36.199 - 188.8.131.52 range at all, and it is probably a good idea to block access to that entire IP block.
Wednesday, 21 May 2008
The fake pest-patrol.com is hosted on 184.108.40.206 in the Ukraine, a range of network addresses that features on the Spamhaus DROP list, and has domain registration service from Estdomains which always seems to be a popular choice with dodgy web sites.
The bottom of the page has a copyright notice claiming that it was created by "Pest Patrol, Inc.", but that is likely to be fake. A large amount of text has been copied and pasted directly from the real CA site. The "PestPatrol" name is pretty widely registered as a trademark, so apart from anything else, this fake pest-patrol.com site is clearly violating CA's trademark rights.
What's interesting about this is just how the pest-patrol.com domain ended up in the hands of a bunch of guys in Eastern Europe. Although the "PestPatrol" name is trademarked, that only applies to computer software. As is turns out, the original pest-patrol.com controlled pests of the creepy crawly variety. CA (or SaferSite Inc as it was before CA took over) would have had no claim over the domain name as it wasn't violating any trademark or causing confusion. But eventually the name expired and after being dropped a couple of times it ended up with someone who clearly is using it to violate a trademark.
The lesson for businesses is perhaps that they need to keep an eye on domains that could potentially violate a trademark or be confusing and secure them if they expire, several registrars can back order domain names. In the long run, that's probably easier than trying to track down an anonymous registrant from the former Soviet Union.
The download option on pest-patrol.com doesn't work at present, but it could be similar to this one (VirusTotal scan results) which appears on a sister site. Unfortunately, CA's genuine product doesn't seem to detect it..
Tuesday, 22 April 2008
[time 22/04/2008 12:54:21: ID 14: machine xxxxx.com: response 22/04/2008 12:54:46] The Win32/Loodok!generic.2 was detected in C:\DOCUME~1\XXXXX\LOCALS~1\TEMP...\SYSTEM.DLL. Machine: XXXXX, User: XXXXX\xxxxx. Status: File was cured; system cure performed.The subdirectory varies, but it is usually %user profiles%\local settings\temp\ns???.tmp where the question marks indicate a random letter/number. You may find that the subdirectory has vanished by the time you investigate.
This appears to be happening with the installer for Firefox (also tested with Netscape Navigator). You can see the problem if you snooze the AV scanner and then fire up the Firefox installer and leave it running.. the SYSTEM.DLL is clearly there.
Apart from eTrust, VirusTotal gives it a clean bill of health.
As usual with false positives, expect a fix to be issued by CA very soon. The problem seems to be with pattern 5723, so updating to a later virus signature should probably cure it.
Added: Pattern 5724 also reports a positive, but the beta version of 5725 does not. You can download beta signatures from CA here.
Added: 5725 is now available for download as normal, this should cure the problem!
Monday, 14 January 2008
In fact, the rarsfx0 directory is just a temporary folder created by RARLAB's WinRAR application - that's a harmless commercial file packager. This folder looks to have been included accidentally in a PestPatrol signature released on 9th January.
Note that if you have PestPatrol installed with the faulty signature, then WinRAR archives may not unpack properly.
Wednesday, 9 January 2008
The eTrust Distribution log shows the following:
Completed Time Type Code DescriptionNote that there are always 16 lines in the log.. the update process starts but never completes, and there's no error message.
09-Jan-2008 08:46:11 Information 0 1) Selected component "eTrust Antivirus Arclib Archive Libra...
09-Jan-2008 08:46:11 Information 0 2) Selected component "eTrust Antivirus Base"
09-Jan-2008 08:46:11 Information 0 3) Selected component "eTrust Antivirus Realtime Drivers"
09-Jan-2008 08:46:11 Information 0 4) Selected component "iGateway"
09-Jan-2008 08:46:11 Information 0 5) Selected component "eTrust ITM Common"
09-Jan-2008 08:46:11 Information 0 6) Selected component "eTrust ITM Agent GUI"
09-Jan-2008 08:46:11 Information 0 7) Selected component "CAUpdate"
09-Jan-2008 08:46:11 Information 0 8) Selected component "eTrust PestPatrol Base"
09-Jan-2008 08:46:11 Information 0 9) Selected component "eTrust PestPatrol Clean"
09-Jan-2008 08:46:11 Information 0 10) Selected component "eTrust PestPatrol Engine"
09-Jan-2008 08:46:11 Information 0 11) Selected component "eTrust PestPatrol Realtime"
09-Jan-2008 08:46:11 Information 0 12) Selected component "eTrust PestPatrol Signatures"
09-Jan-2008 08:46:11 Information 0 13) Selected component "eTrust Vet Engine"
09-Jan-2008 08:46:11 Information 0 Checking updates for "eTrust Antivirus Arclib Archive Librar...
09-Jan-2008 08:46:11 Information 0 Downloading from "SERVERNAME:42511"
09-Jan-2008 08:46:09 Information 0 The distribution program started the download process.
Show 10 Show 25 Show 50 Show All Page 1 « ‹ 1-16 of 16 › »
After working with our reseller we discovered the problem - it's not a problem with eTrust, but instead a very strange permissions issue that has happened with those PCs. What has happened is that the computer's SYSTEM account (which the eTrust services run under) doesn't have access to write to that part of the disk, despite having permissions explicitly set.
In the case of eTrust, the fix is to open up the Services control panel (Start.. Run.. services.msc), and then.
- Double-click on the eTrust ITM Job Service
- Click the Log On tab
- Change the credentials from the "Local System account" to the local Administrator account on the PC (i.e. username Administrator, password to whatever you set it to).
- Restart the service
- Either reboot the machine, or terminate the ITMDist service
- Tell the machine to download updates again.
Of course, you can also do this all remotely with the Computer Management tool and something like PSKILL (from PSTools), so you don't have to be sitting at the machine to do it.
As I said, I don't believe that this is an eTrust problem, it looks as though Windows is borked somehow, possibly an issue with SIDs or something. I have a feeling that other software misbehaves, possibly including Active Directory policies. I have no solution other than a complete rebuild, but if you're struggling to get eTrust updating properly, then I would definitely look at the user rights for the service.
Friday, 4 January 2008
The ISC reports that several websites have been compromised by a zero-day vulnerability in RealPlayer. The halware is hosted or routed via uc8010.com (currently down).
Surprisingly, one of the compromised web sites (since cleaned up) is ca.com (Computer Associates), who make the eTrust anti-virus product.
A Google search for uc8010.+com site:ca.com comes up with several dozen hacked pages, mostly press releases.
A look at a cached copy of the code shows a link to n.uc8010.com/0.js (don't visit this url) which then loads the exploit.
Note that everything here is a .gif to stop virus scanners freaking out.
To be fair, a lot of sites are compromised including government bodies and large corporations. It just goes to show that there's no such thing as a "safe site" any more.
Monday, 31 December 2007
The signature that has the problem is 31.3.5417 dated 31/12/07
If you're running Internet Explorer, then you may see an alert for an individual .js file as above, in a Mozilla-based browser (such as Seamonkey or Firefox) you may get a virus alert for a file named something similar to C:\Documents and Settings\USERNAME\Application Data\Mozilla\Profiles\Default\xxxxxxxx.SLT\CACHE\xxxxxxxxxxx
Usually, these false positives are fixed by CA pretty quickly. For most people this should just be a temporary nuisance that will be fixed with the latest virus update.
You can submit suspect files to CA here for analysis, that may well help them to fix the problem.