LISTSERV mailing list manager LISTSERV 16.0

Help for IT-DISCUSS Archives


IT-DISCUSS Archives

IT-DISCUSS Archives


IT-DISCUSS@LIST.UVM.EDU


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font

LISTSERV Archives

LISTSERV Archives

IT-DISCUSS Home

IT-DISCUSS Home

IT-DISCUSS  May 2008

IT-DISCUSS May 2008

Subject:

Re: nod32 false positives - adobe

From:

Stefanie Ploof <[log in to unmask]>

Reply-To:

Technology Discussion at UVM <[log in to unmask]>

Date:

Thu, 22 May 2008 12:44:10 -0400

Content-Type:

MULTIPART/MIXED

Parts/Attachments:

Parts/Attachments

TEXT/PLAIN (240 lines)

NEITHER.  Really!  I know you're tempted, but DON'T touch either option! 
(You already did, didn't you? :)

You need to shut down now, restart in safe mode with networking, and let 
the newer signature file install onto the computer.



On Thu, 22 May 2008, John K. Cooley wrote:

> I just booted a Latitude D630 and got a "Threat Found Alert".
>
> The file is C:\Windows\Installer\MSID.tmp
> "Event occured on a file modified by the application 
> C:\Windows\system32\msiexec.exe"
>
> Delete or Leave???
>
> This laptop is brand new out of the box today.  Sig is 3120.  I can not 
> update until I make this message go away.   Sooo... do I delete or leave?
>
> John
>
>
> Quoting Stefanie Ploof <[log in to unmask]>:
>
>> As Greg points out, ESET's official recommended solution is applying
>> virus signature 3121 or higher, which happens automatically when the
>> client computer requests the updated signature file from ESET.  Just
>> have to be able to get the computer logged in and back on the network
>> successfully to obtain the update, and there are so many strategies for
>> this that I encourage you to pick your favorite.  If you need advice
>> then please say so.
>> 
>> Check the version of the virus signatures: Hover over the ESET icon in
>> the system tray.  It will state the version of NOD32 itself, and then a
>> second line for virus signature db.  If hovering isn't working or you
>> don't see that icon then open ESET NOD32 Antivirus from Start->Programs
>> then look on the "Version of virus signature database" line for a
>> number greater than 3120 (as in: 3121, 3122, etc.).
>> 
>> If you turned off ThreatSense: Once the update is applied and virus
>> signature db is listed as 3121 or higher please re-enable ThreatSense
>> by following original instructions (in normal mode, as we've learned)
>> with a reverse of step 4:
>> 
>> 1. Open ESET NOD32.
>> 2. Tap F5 to bring up Setup.
>> 3. On the left pane under the word Tools click ThreatSense.Net .
>> **** 4. CHECKMARK the box "Enable ThreatSense Early Warning System".
>> 5. Click OK.
>> 
>> If you didn't turn off ThreatSense: Do nothing, but report any more
>> NOD32 oddities to the list.
>> 
>> 
>> ----
>> Stefanie Ploof
>> ETS Client Services
>> CALS Information Technology Office
>> University of Vermont, Burlington
>> 
>> On Thu, 22 May 2008, J. Greg Mackinnon wrote:
>> 
>>> On behalf of the committee of people who selected NOD32 as the  currently 
>>> supported antivirus solution on campus, I apologize for  these problems. I 
>>> had hoped that adopting NOD32 would eliminate  these sorts of headaches 
>>> for us, but I guess I was overly  optimistic. Clearly, the 3.0 version of 
>>> NOD32 was released before  it was production ready. I can only hope that 
>>> ESET gets the product  stabilized very very soon.
>>> 
>>> For what it is worth, it has been reported in the official ESET  forums 
>>> that virus signature 3121 and later fix this problem (3122  was the 
>>> current release at the time of this posting). So, the  proposed "fix" for 
>>> this problem is to force update of your sigs if  they are still out of 
>>> date. If any Adobe apps are not working,  restore the detected dll and exe 
>>> files from quarantine by opening  the NOD32 window, going to setup->toggle 
>>> advanced, then go to  tools->quarantine, and right-click the affected 
>>> files, select the  "restore" option, then reboot your system.
>>> 
>>> One of the reasons that we selected NOD32 over competing solutions  was 
>>> it's relatively low rate of false-positive detections. Still,  "low rate" 
>>> is not the same as "zero", and it only takes one false  positive to poison 
>>> your opinion on and anti-threat product.
>>> 
>>> Unfortunately, no anti-threat vendor gets it right all the time, 
>>> especially not Symantec. We have documented cases of crippling  false 
>>> positives and other system-destabilizing bugs under SAV. The  history of 
>>> problems started with the first Norton AV 7.5 release  used on campus, and 
>>> ran all the way up to the last-distributed 10.1  (XP) 10.2 (Vista) 
>>> releases. Please do not continue to install SAV  on campus systems. This 
>>> product is no longer licensed, supported,  nor maintained at UVM. We 
>>> really need to remove SAV10 from the  software distribution pages, and 
>>> will do so soon. It only increases  the base of problems that we have to 
>>> deal with to run outdated  anti-threat software.
>>> If you are experiencing problems with NOD32, just follow Stef's  advise 
>>> and disable the software for now. It won't kill anyone to  run without AV 
>>> protection for a few days.
>>> 
>>> -Greg Mackinnon
>>> 
>>> Mickey Mossey wrote:
>>>> Ahh.. back up and running.
>>>> 
>>>> With all these issues in the past few weeks with NOD32, I think I  may be 
>>>> going back to SAV10 until I can feel comfortable with  NOD32.. even 
>>>> though I've suggested against that to /everyone/  that's asked me if 
>>>> that's what they should do...
>>>> 
>>>> 
>>>> Bryan Fleming wrote:
>>>>> 
>>>>> Same thing I�d encountered Mickey� You could probably disable the 
>>>>> real-time file protection option in Nod32 and then have it work in 
>>>>> non-safe mode. Of course you�d be without virus protection which would 
>>>>> be bad so you�d need to be careful�
>>>>> 
>>>>> -Bryan
>>>>> 
>>>>> *From:* Technology Discussion at UVM  [mailto:[log in to unmask]] 
>>>>> *On Behalf Of *Mickey Mossey
>>>>> *Sent:* Thursday, May 22, 2008 10:12 AM
>>>>> *To:* [log in to unmask]
>>>>> *Subject:* Re: nod32 false positives - adobe
>>>>> 
>>>>> As of right now, I've gotten my computer running, but  CTRL-ALT-DEL at 
>>>>> the login wont do anything. Safe mode allows me  to log in.
>>>>> 
>>>>> Stefanie Ploof wrote:
>>>>> 
>>>>> The details I have:
>>>>> 
>>>>> The file AISM_libFNP.dll that is associated with Adobe Acrobat 8  is 
>>>>> being detected today as "probably a variant of an Unknown  virus." This 
>>>>> file has been on the systems for a long time, and it  is perhaps (I can 
>>>>> never say definitely) a false positive.
>>>>> 
>>>>> However, when Vista users (particularly docked laptop users?  unclear) 
>>>>> click to Leave that file alone their computer locks up  and becomes 
>>>>> unusable.
>>>>> 
>>>>> The ESET coders are definitely working on this very problem. I  will 
>>>>> have a "workaround" to mention shortly...
>>>>> 
>>>>> ----
>>>>> Stefanie Ploof
>>>>> ETS Client Services
>>>>> CALS Information Technology Office
>>>>> University of Vermont, Burlington
>>>>> 
>>>>> On Thu, 22 May 2008, Stefanie Ploof wrote:
>>>>> 
>>>>> 
>>>>> I was just coming downstairs to report this problem to the list!
>>>>> 
>>>>> I have submitted this problem to ESET from a computer affected by  the 
>>>>> problem. I am following up with them now via phone. I will  report 
>>>>> details back to the list.
>>>>> 
>>>>> 
>>>>> ----
>>>>> Stefanie Ploof
>>>>> ETS Client Services
>>>>> CALS Information Technology Office
>>>>> University of Vermont, Burlington
>>>>> 
>>>>> On Thu, 22 May 2008, Bryan Fleming wrote:
>>>>> 
>>>>> 
>>>>> So I'm doing some work this morning when I get a notice saying  that 
>>>>> there's a virus on my system (insert raised eyebrow here),  look at the 
>>>>> message and it says that it's an adobe dll. Ok,  possible perhaps, but I 
>>>>> didn't think it likely. Click 'leave'.  System locks up in moments. 
>>>>> Reboots will lock up even before log  in sometimes.
>>>>> 
>>>>> Safe mode works (yay) run through the various startups and remove  some 
>>>>> components on general principle (nothing like a problem to  make you 
>>>>> clean house). Still no luck. Pull the laptop off the  docking station 
>>>>> figuring I'd minimize components involved (and  kill network 
>>>>> connectivity in the process) and it actually logs  in. Nod32 comes up 
>>>>> with same message, sitting here on another  computer I found this:
>>>>> 
>>>>> http://www.wilderssecurity.com/showthread.php?p=1246746
>>>>> 
>>>>> Seems that nod32 has taken to declaring some programs (including  adobe) 
>>>>> that use a particular licensing program as viruses. (I  suspect from a 
>>>>> particular point of view it might not always be  mistaken, but that's 
>>>>> beside the point)
>>>>> 
>>>>> When I hit leave again nod32 crashed. (well part of it) Opened up  Nod32 
>>>>> saw I was on signature 3121, (said it had updated at 6:22  this morning) 
>>>>> told it to update again. Said it didn't need to  update but I've 
>>>>> restarted since (back on the docking station) and  so far it hasn't had 
>>>>> a problem again.
>>>>> 
>>>>> Moral of the story: Watch out today if you have client calls with  odd 
>>>>> crashes after a virus scan. Or at least don't just tell them  to remove 
>>>>> a virus threat if one is detected, find out what it is.
>>>>> 
>>>>> -Bryan
>>>>> 
>>>>> -- 
>>>>> 
>>>>> *Mickey Mossey*
>>>>> 
>>>>> *System Administrator / Programmer*
>>>>> 
>>>>> *University of Vermont*
>>>>> 
>>>>> *Development and Alumni Relations Information Systems*
>>>>> 
>>>>> *Personal Line: **802-656-4133 DARIS Main Line: **802-656-8310*
>>>>> 
>>>>> * *
>>>>> 
>>>>> *UVM's Alumni Website: **http://alumni.uvm.edu/*
>>>>> 
>>>>> *My Personal Website: **http://www.themickeyzone.com/*
>>>>> 
>>>> 
>>>> -- 
>>>> 
>>>> *Mickey Mossey*
>>>> 
>>>> *System Administrator / Programmer*
>>>> 
>>>> *University of Vermont*
>>>> 
>>>> *Development and Alumni Relations Information Systems*
>>>> 
>>>> *Personal Line: 802-656-4133 DARIS Main Line: 802-656-8310*
>>>> 
>>>> * *
>>>> 
>>>> *UVM's Alumni Website: **http://alumni.uvm.edu/*
>>>> 
>>>> *My Personal Website: **http://www.themickeyzone.com/*
>>>> 
>

Top of Message | Previous Page | Permalink

Advanced Options


Options

Log In

Log In

Get Password

Get Password


Search Archives

Search Archives


Subscribe or Unsubscribe

Subscribe or Unsubscribe


Archives

November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
April 2017
March 2017
February 2017
January 2017
December 2016
November 2016
October 2016
September 2016
August 2016
July 2016
June 2016
May 2016
April 2016
March 2016
February 2016
January 2016
December 2015
November 2015
October 2015
September 2015
August 2015
July 2015
June 2015
May 2015
April 2015
March 2015
February 2015
January 2015
December 2014
November 2014
October 2014
September 2014
August 2014
July 2014
June 2014
May 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
July 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003, Week 1
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
October 2002
September 2002
August 2002
July 2002
June 2002
May 2002
April 2002
March 2002
February 2002
January 2002
December 2001
November 2001
October 2001
September 2001
August 2001
July 2001
June 2001
May 2001
April 2001
March 2001
February 2001
January 2001
December 2000
November 2000
October 2000
September 2000
August 2000
July 2000
June 2000
May 2000
April 2000
March 2000
February 2000
January 2000
December 1999
November 1999
October 1999
September 1999
August 1999
July 1999
June 1999
May 1999
April 1999
March 1999
February 1999
January 1999
December 1998
November 1998
October 1998
September 1998
August 1998
July 1998
June 1998
May 1998
April 1998
March 1998
February 1998
January 1998
December 1997
November 1997
October 1997
August 1997
July 1997
May 1997
April 1997
March 1997
February 1997
January 1997
December 1996
November 1996
October 1996
September 1996
August 1996
July 1996
May 1996
December 1995
November 1995
September 1995
August 1995
March 1995

ATOM RSS1 RSS2



LIST.UVM.EDU

CataList Email List Search Powered by the LISTSERV Email List Manager