Running Landesk 9.0 SP3 with LD AV. I set up basic alerting for when users get viruses, etc and we're getting alert storms from what appears to be a single file that keeps getting restored over and over again. I'm working with Landesk/Kaspersky to get this particular file whitelisted and in the meantime I've put it in as a trusted item, but since it keeps getting restored back and the filename is changing, we keeping getting alerts on the file.
Example is below:
Suspicious item C:\Windows\SysWOW64\mxcrsc32.LDRestore.LDRestore.LDRestore.LDRestore.LDRestore.LDRestore.LDRestore.LDRestore.exe was successfully quarantined. Possible infection: HEUR:Trojan.Win32.Generic
As you can see, the original file name is mxcrsc32.exe, which is not a trojan, and it's been restored at least 8 times by something causing the alert storm (5 or more viruses caught on a PC in a short period of time).
I'd like to know what is causing the file to be "restored" or otherwise show up with the filename.LDRestore and how I can address that. Since it's dynamic in nature (keeps adding more .LDRestore to the end of the file name each time it restores it), I can't actually add the file as a trusted item. I don't want to whitelist the whole C:\Windows\SysWOW64 folder either. I tried whitelisting (add to trusted items) C:\Windows\SysWOW64\mxcrsc32.LDRestore.exe and that didn't help.
Thanks
Peter