Quantcast
Channel: Ivanti User Community : Discussion List - All Communities
Viewing all articles
Browse latest Browse all 15294

Antivirus repeatedly finding different versions of same infected file, causing alert storm

$
0
0

Running Landesk 9.0 SP3 with LD AV. I set up basic alerting for when users get viruses, etc and we're getting alert storms from what appears to be a single file that keeps getting restored over and over again. I'm working with Landesk/Kaspersky to get this particular file whitelisted and in the meantime I've put it in as a trusted item, but since it keeps getting restored back and the filename is changing, we keeping getting alerts on the file.

 

Example is below:

Suspicious item C:\Windows\SysWOW64\mxcrsc32.LDRestore.LDRestore.LDRestore.LDRestore.LDRestore.LDRestore.LDRestore.LDRestore.exe was successfully quarantined.  Possible infection: HEUR:Trojan.Win32.Generic

 

As you can see, the original file name is mxcrsc32.exe, which is not a trojan, and it's been restored at least 8 times by something causing the alert storm (5 or more viruses caught on a PC in a short period of time).

 

I'd like to know what is causing the file to be "restored" or otherwise show up with the filename.LDRestore and how I can address that. Since it's dynamic in nature (keeps adding more .LDRestore to the end of the file name each time it restores it), I can't actually add the file as a trusted item. I don't want to whitelist the whole C:\Windows\SysWOW64 folder either. I tried whitelisting (add to trusted items) C:\Windows\SysWOW64\mxcrsc32.LDRestore.exe and that didn't help.

 

Thanks

 

Peter


Viewing all articles
Browse latest Browse all 15294

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>