Sponsored by..

Wednesday 25 April 2007

BAT/IRCFlood false positive in change.log.2

I've been seeing a few false positives caused by the CA-VET virus scanner used in ZoneAlarm, CA eTrust and the CA ITM products (probably some others too) as follows:

[time 25/04/2007 15:08:22: ID 14: machine xxxxx.xxxxx: response 25/04/2007 15:09:13] The BAT/IRCFlood was detected in C:\SYSTEM VOLUME INF...\CHANGE.LOG.2. Machine: XXXXX, User: NT AUTHORITY\SYSTEM. File Status: Cure failed, file renamed.

This is just a log file that's part of the Windows XP system restore feature - the files are held in C:\System Volume Information in a folder to which users don't usually have access.

I'm pretty convinced this isn't a virus - it's just a log file - and I even ran it through VirusTotal which found nothing at all. I've contacted CA about it to see what they think.. we'll see.

In the meantime, if the antivirus alert is bugging you, you can delete the log file from your System Volume Information folder at your own risk. You will need to change permissions on the folder to do this (see this MS Technet article) and then drill down and delete the individual file in question. Like I said.. do this at your own risk!

No comments: