Quarantining Vista Files

wagswvu · May 2009

After an update today, May 23, I noticed Bitdefender starting flagging "PresentationCore.ni.dll" as a Gen:Trogan.Heur.PT.FF97686868. As far as I can tell this file is part of windows Vista 64 as it lives in the windows assembly directory. Has anybody else had this issue today?

alexcrist · May 2009

Hello wagswvu,

Please put the file in a password-protected archive (with the password infected), upload it on a file sharing server and send me the download link through PM.

Cris.

Lane68 · May 2009

Im using BD 2009 and vista 64 bit and today (May 23) its quarintined 3 files that I dont think are viruses...

BDATunePIA.ni.dll

mcupdate.ni.exe

loadmxf.ni.exe

Rano · May 2009

yea same thing happened to me to

idk im waiting for an update

matabufalez · May 2009

yea same thing happened to me to

idk im waiting for an update

The same,but I have 12 files,all with .ni.exe extension and in a Windows Folder...

Rano · May 2009

yea i have the same files in there too

let me know if yours is back to normal

matabufalez · May 2009

yea i have the same files in there too

let me know if yours is back to normal

My computer is working fine...I think that there is a backup from a update.

I can restore the files but when the OS access to the files,or I perform a scan BD moves the files to the quarantine...=S

thegubble · May 2009

3 of the files came up on my screen, so i did a scan of that area.

It looks like normal windows stuff, but if these are viruses, looks like a format for me!

Files Found:

path="C:\Windows\assembly\NativeImages_v2.0.50727_64\dfsvc\bed7c4d035cbc8ba1d0e7236fe976d39\dfsvc.ni.exe"

threatType="virus"

threatName="Gen:Trojan.Heur.PT.1078878787"

path="C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualC\2ea41002b68effe4bbfe4b3328af99e2\Microsoft.VisualC.ni.dll"

threatType="virus"

threatName="Gen:Trojan.Heur.PT.1078878787"

path="C:\Windows\assembly\NativeImages_v2.0.50727_64\BDATunePIA\a4adae08d3d98080369fe71bfe039916\BDATunePIA.ni.dll"

threatType="virus"

threatName="Gen:Trojan.Heur.PT.224AB5B5B5"

path="C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Transacti#\2791e9f0a225ed0937113ecac2245a0f\Microsoft.Transactions.Bridge.Dtc.ni.dll"

threatType="virus"

threatName="Gen:Trojan.Heur.PT.325AA5A5A5"

path="C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualBas#\351d462ee1a34cb7f7b84a0ed4434786\Microsoft.VisualBasic.ni.dll"

threatType="virus"

threatName="Gen:Trojan.Heur.PT.4820DFDFDF"

path="C:\Windows\assembly\NativeImages_v2.0.50727_64\Narrator\b34836a9d51d9a17ff1be551a5809c6f\Narrator.ni.exe"

threatType="virus"

threatName="Gen:Trojan.Heur.PT.4D25DADADA"

path="C:\Windows\assembly\NativeImages_v2.0.50727_64\CustomMarshalers\2091e5dcb3509566dae4ea9c38406e86\CustomMarshalers.ni.dll"

threatType="virus"

threatName="Gen:Trojan.Heur.PT.5139C6C6C6"

path="C:\Windows\assembly\NativeImages_v2.0.50727_64\loadmxf\649161ccfa657d42c596e35b58ce2bc7\loadmxf.ni.exe"

threatType="virus"

threatName="Gen:Trojan.Heur.PT.6008F7F7F7"

path="C:\Windows\assembly\NativeImages_v2.0.50727_64\ehExtHost\876fa3523f1baa4ffe0ed2bee091ee68\ehExtHost.ni.exe"

threatType="virus"

threatName="Gen:Trojan.Heur.PT.6109F6F6F6"

path="C:\Windows\assembly\NativeImages_v2.0.50727_64\mcupdate\ab7817d90407f6f544b0a858481a85c2\mcupdate.ni.exe"

threatType="virus"

threatName="Gen:Trojan.Heur.PT.6109F6F6F6"

path="C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Printing\f97882fc5b44c2c390f7c838400ed920\System.Printing.ni.dll"

threatType="virus"

threatName="Gen:Trojan.Heur.PT.85ED121212"

path="C:\Windows\assembly\NativeImages_v2.0.50727_64\System.EnterpriseSe#\9de9a1d1b0a6cf279daaf4dad0e837ac\System.EnterpriseServices.Wrapper.dll"

threatType="virus"

threatName="Gen:Trojan.Heur.PT.B1D9262626"

vmanisme · May 2009

Hello, I got this virus too. The log says it cannot be deleted heres a copy:

"C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationCore\51723e8b1fff9d531f76da0f8988c584\PresentationCore.ni.dll"

threatType="virus"

threatName="Gen:Trojan.Heur.PT.FF97686868"

action="disinfect"

finalStatus= "infected"

error= "no action possible"

---Also it deleted some other assembly files. I did a scan and it found around 20-30 viruses (trojans) it deleted all of them except that one

alexcrist · May 2009

Detection for PresentationCore.ni.dll was a false alarm and was removed. Thank you for reporting.

As for the other files: please update BitDefender, restore the quarantined files, and rescan that folder. If any of those files are still marked as infected, please put them in a password-protected archive (with the password infected), upload the archive on a file sharing server, and send me the download link through PM. I will forward the for analysis ASAP. Thank you.

Cris.

Lane68 · May 2009

I updated then restored the quarintined files, then after scanning it said 22 ni files were viruses...

</ScanDetails>

</ScanSession>

alexcrist · May 2009

As I said, I need the files to send for analysis. Without the files, nobody can do anything. I can give at the Analysis Department only the detection names, but in this case removal will take longer.

So the easiest and fastest way is if someone who has this problem archives the files and sends them to me, as I said before.

Cris.

Infomage · May 2009

I have a couple of files being flagged this way... Curerntly re-scanning, but I'll email them in as requested asap.

P.S. - Wow! 8 now... Still - emailing.

Edit2: Submitting from within the software instead - got cross with the files being quarantined every time I tried to zip them.

alexcrist · May 2009

Infomage, submitting from within the interface will take longer to process.

Please temporarily disable BitDefender realtime protection, restore the files, and archive them. I'll send them so this can be solved faster. Thank you.

Cris.

Infomage · May 2009

OK - will do... it's going to take a while.

For confirmation, should I email to the generic support@ address?

alexcrist · May 2009

Please archive the files with the password infected, upload the archive to a file sharing server, and send me the download link through PM (or post it here).

Cris.

Infomage · May 2009

OK - I am not registered with any file sharing sites and I don't have my own FTP access - where do you recommend I register?

Scratch that - found one.

Uploading now. I'll PM you the link.

alexcrist · May 2009

Detection was removed from the product. I just updated my BitDefender and the files (which I got from Infomage) are no longer detected.

Please update BitDefender and rescan the files.

Cris.

matabufalez · May 2009

Detection was removed from the product. I just updated my BitDefender and the files (which I got from Infomage) are no longer detected.

Please update BitDefender and rescan the files.

Cris.

Thank you for solve the issues

All my quarantine files are restored without a false positive

Thanks!!

Lane68 · May 2009

Glad someone could get that bagged and tagged for you "as you said".

Im updated and restored and hoping BD has gotten it straightened out. 2 days of dealing with antivirus update problems is wearing my loyalty thin.

Infomage · May 2009

All fixed. Thanks Cris.

alexcrist · May 2009

Glad someone could get that bagged and tagged for you "as you said".

Im updated and restored and hoping BD has gotten it straightened out. 2 days of dealing with antivirus update problems is wearing my loyalty thin.

False positives occur everyday in any antivirus software, not just BitDefender. Why this happens? Simple: because the Virus Analysts try to create different algorithms that will detect different viral behavior even before a sample of actual malware is analyzed. This method is called Heuristic scanning and is used to detect and protect from unknown malware.

And sometimes, some of these algorithms "detect" also clean files. Heuristic scanning is not exactly an "exact science". It's only based on approximations and predictions.

Now this being said... the only way to fix false positives (clean files flagged as infected, as a result of the above process) is to analyze those files and to fix the algorithms so those files aren't detected anymore. And this cannot be done without the files! And when I say once, or twice, or 3 times that someone needs to submit some samples, and the users just keep complaining about the problem, without anyone actually following my advice... well... no comment about it.

As soon as Infomage sent me the files, I submitted them and the problem was fixed.

All fixed. Thanks Cris.

I'm glad I could help.

Cris.

== CLOSED (issue solved) ==

Quarantining Vista Files

Comments

All Time Leaders

Categories

Defenders of the month