Trojans On Brand New Dell Optiplex?
Hi,
This is hopefully a false positive. We received 2 new Dell OptiPlex 320 machines this week and installed BitDefender AV 2008 on them. Then we did a deep scan with these results:
Remaining issues:Object Name Threat Name Final Status
C:\i386\KB929123.Exe Trojan.Generic.26321 Disinfect Failed
C:\i386\KB931784.EXE Trojan.Generic.60170 Disinfect Failed
Both machines had the same results. No end user has used these systems.
So either there is something very wrong with Dell's build system or these are FP's.
We can upload the suspect files if necessary.
Thanks,
Comments
-
Hi HDB,
I moved your topic in a more appropriate section of the forum.
I believe these are FPs, but I really cannot say for sure. Please put the suspected files in a ZIP archive, protected by the passwrd infected and attach the archive to your next post. A BitDefender Virus Analyst will take a look at the files and, if necessary, they will remove detection.
Cris.0 -
Thanks very much Cris. We've put the files into 2 separate zips (to stay below the 2M upload limit) but the "Uploading File..." dialog never seems to complete. Is there a special browser setting we need?
0 -
Hello BHD,
It should work with any browser. But be sure to have scripts enabled.
What browser are you using?
Cris.0 -
Hi Cris,
Turns out that one of the two suspect zip files is slightly over 2M which is why it wasn't working. So here's the smaller one.
Is there another mechanism we can use to get the larger file to you?
Thanks
HBD0 -
Hello HBD,
You can send the archive to support@bitdefender.com. Explain there that it might be a FP and add to the message body a link to this topic.
Cris.0 -
The file uploaded here is clean; detection will be removed after the next update.
As for uploading files, you can use free file uploading services for larger files (megaupload.com, etc.), but make sure to archve the samples with the password infected.0 -
Thanks very much Vlad. I had sent the second file to support@bitdefender.com with a link to this forum post per Cris's instructions before I saw your message. Would you still like me to upload it somewhere else?
Thank you all very much for your help on this issue.0 -
Hi Vlad,
We haven't heard back from support, so here's a link to the 2nd possible false positive archive:
http://www.megaupload.com/?d=58NWJOTT
Thanks0 -
Megaupload says: "The file you are trying to access is temporarily unavailable."
I'll try again later.0 -
OK here's a YouSendIt link to the same file:
http://download.yousendit.com/10D7314A27842311
PS Might we suggest that BitDefender raise the 2MB file size limit on these forums? This "outside service file upload" procedure seems needlessly complicated. We are hopefully just trying to get a BD false positive detection repaired. Making this file upload procedure simpler will help improve BitDefender's products and will outweigh any slight increase in storage costs you might incur.
PPS On the two OptiPlex systems (which should be receiving hourly BD updates, both the already-declared false positive (and this one, of course) are still being flagged as trojaned. Do you know how long it should be before the definitions for these files are updated.
Thanks again for all your help Vlad.0 -
PPS On the two OptiPlex systems (which should be receiving hourly BD updates, both the already-declared false positive (and this one, of course) are still being flagged as trojaned. Do you know how long it should be before the definitions for these files are updated.
From the moment the detection is removed, to the moment this remove actually becomes an update for BD products there is a little time. But sometime tomorrow everything should be sorted.
Cris.0 -
Thanks Cris--you work pretty long hours :-)
Do you know if Vlad was able to download that second file?0 -
Thanks Cris--you work pretty long hours :-)
Do you know if Vlad was able to download that second file?
" /> I don't work for BitDefender. None of the Moderators do (except for the SuperModerators). So I'm "working" from home (when I don't have something to do, I visit the forum to see what's new).
From the same reason, I can't keep continous contact with Vlad (I see him from time to time on IM). But be sure that the moment he checks the file, he'll let you know
Cris.0 -
Well you do a very good job Cris.
We have about 50 copies of BitDefender, so we know a fair amount about it. We have been able to find bypasses/workarounds for most of its quirks, but this FP issue stopped us because we can't deliver those machines in that state and we don't want to delete/quarantine files that are normal.
So far the experience on these forums has been FAR superior to any other method of support we've tried with BitDefender. The knowledge base seems to be empty (every time we search it for anything useful we come up with zero hits) and the online "chat" function doesn't seem to be staffed with very technical people. And as I mentioned previously, we sent the big file to support via email a while ago but have yet to hear anything back.
So thanks again for all you do on behalf of the company.
HBD0 -
From the moment the detection is removed, to the moment this remove actually becomes an update for BD products there is a little time. But sometime tomorrow everything should be sorted.
Cris.
Hi Vlad and Cris,
It's been about a day, but FYI both files are still being tagged as Trojans.
Thanks,
HBD0 -
I checked the first sample and it's no longer detected; I also removed detection from the second sample just now. In a couple of hours they should both be fixed. Please update your BD and try again.
Sorry about replying late, but our previous chat was at ~9 PM on Friday... I had to get home.
As for uploading files, unfortunately the forum is not an "official" method of getting replies from BD; some virus analysts (such as myself) check them from time to time, but it's not in the "job description". I'll try to raise the file size limit a little, but not being an official channel, there's not much I can do about it.
For future possible false alarms, you can PM me directly for a faster reply. I can't unfortunately do this for every FA on the forum, because the job I actually have to do usually takes more than 8 hrs/day...
Thanks for the feedback; it's much appreciated.0 -
Hi Vlad,
Thanks again for your help on this.
I'm wondering if we're doing something wrong, because we just updated BD (AV 2008) on both OptiPlex systems, then clicked "update" again just to be sure there were no further updates. Then we right clicked the i386 folder on both machines to start a contextual scan and both machines called out the same two files again as trojaned. Is there something else we need to do first?
BD History says: Virus Signatures: 935959, Engine Version: 7.15548
Greatly appreciate the ability to PM you; promise to not abuse it. Didn't realize you were doing this above and beyond the call of duty.
BTW, we did finally hear back from Support via email (we had submitted the second large file to them as a means of getting it to you). They said they were sending the files to the Virus Lab for analysis, so you may get to see them again :-)
Thanks,
HBD0 -
Hi Vlad,
Here is some good news:
Both OptiPlex's had basically been sitting idle since we originally wrote about the FP's. They had been getting automatic updates from BD, but that's about it. (We would also occasionally run BD update manually.) After each update we would rerun the scan and the two Trojans would again be called out.
We decided to reboot both machines after doing the last scan even though no reboot was requested by BitDefender (we don't use the "don't prompt; wait for reboot" option). We then ran the \i386 scan again. It seemed to take longer (on one of the machines) but this time the folder scanned clean on both systems :-)
So the good news is the problem is solved. We are wondering why the reboot was necessary; we have always assumed that BitDefender calls for a reboot when necessary. Most of our systems are not rebooted that often so we would like to understand this.
Thanks,
HBD0 -
They don't need to be rebooted. I can't imagine what happened, but I've never heard of this behavior before. It was most likely a very peculiar accident (perhaps a request to reboot got missed somehow, I really can't imagine).
0 -
OK, we'll assume it was just an oddity then. Thanks very much for all your help Vlad.
0 -
You are most welcome.
0