Lumension AntiVirus Technical Notification (AV Definition v7.1.1368158442)

Version 2

    Details

    Lumension Endpoint Management and Security Suite (LEMSS) with the AntiVirus module actively deployed

     

     

    HEATsoftware has determined that the antivirus (AV) definitions file released at approximately 3:22am EST/8:22am GMT on Friday, May 10th (AV Definition 7.1.1368158442 created on 10 May 2013 05:00:42) included a signature with a false positive detection. If you are running Windows XP x86 and have applied the MS13-036 Patch, you may experience a false positive. This issue only affects XP x86. It does not affect XP x64 or Windows Server 2003.

    IMPORTANT: Do not shut down or restart any Windows XP x86 systems which may be affected.

    Please check your AntiVirus Alert logs for the virus winpe/Tedroo.Z with the infected file listed as win32k.sys; this is the false positive detection.

    HEATsoftware released an updated definition file (v7.1.1368173351 created on 10 May 2013 09:09:11) at 6:24am EST/11:24am GMT on Friday, May 10th. It is important that you check to see that the AV definition file on your L.E.M.S.S. server is v7.1.1368173351 or higher. If it is not, please follow the steps below to ensure that you have implemented the latest definition file before running any scans.

    IMPACT

    Endpoints that received the problem AV definition (v7.1.1368158442), and have Real Time Monitoring and/or Recurring Scans that have occurred using this AV definition file, may see a virus entry in their Virus Alerts for winpe/Tedroo.Z. If this virus entry is in the logs and the infected file is listed as win32k.sys, then a critical system file, win32k.sys, has been affected.

    If your “When a virus is detected” setting in your Real Time Monitoring or Recurring AV Scan policy is configured to “Attempt to clean, then quarantine, then delete,” a critical system file may be in the endpoint quarantine as a result of the false positive detection. You MUST restore from quarantine prior to system reboot to avoid further problems. If the system has been rebooted, you must follow the recovery instructions below.

    If your “When a virus is detected” setting in your Real Time Monitoring or Recurring AV Scan policy is configured to “Attempt to clean, then delete,” a critical system file may be deleted from your system as a result of the false positive detection. If the file is deleted, you must follow the recovery instructions below.

    CURRENT STATUS

    An updated AV definition file was released at approximately 6:24am EST/11:24am GMT on Friday, May 10th (v7.1.1368173351 created on 10 May 2013 09:09:11) that eliminates this false positive detection. Endpoints that receive this updated AV definition file, or newer versions, and have not yet been affected, will not experience this false positive issue. Please validate there was no interim effect which must be mitigated by checking your Virus Alerts.

    RECOMMENDATION

    Please check the AV definition file on your L.E.M.S.S. Server by selecting ‘Tools’ > ‘Subscription Updates’ > ‘Configure’ button > ‘AntiVirus’ tab. Validate that the AV definition file is v7.1.1368173351 or higher. If it is not, click on the ‘Update Definitions’ button to receive the latest version.

    To check the AV definition file version on your endpoints, first go to ‘Manage’ > ‘Endpoints’ and select the ‘AntiVirus’ tab. Sort using the ‘AV Definition Version’ column. We recommend that you disable ‘Scheduled Scan’ until the AV definition files have been updated.

    Please review Real Time Monitoring and Recurring Scan policies for the “When a virus is detected” setting. HEATsoftware highly recommends that you select a setting of “Attempt to clean, then quarantine” (the default).

    To identify the endpoints that require mitigation, please check the virus alerts by navigating to ‘Review’ > ‘Virus and Malware Event Alerts’. You can filter this view by entering winpe/Tedroo.Z in the ‘Virus or malware name’ filter and clicking on the ‘Update View’ button.

    MITIGATION

    Customers who have their settings for Quarantine and have not rebooted the endpoint can restore the files from quarantine and avoid further impact.

    Mitigation for systems that have not been shut down or restarted:

        
    1. Validate your AV defs are at 7.1.1368173351 or higher
    2.   
    3. Review quarantine files looking for two (2) files:       
              
      • C:\Windows\system32\win32k.sys
      •       
      • C:\Windows\system32\dllcache\win32k.sys
      •   
    4.   
    5. Restore both win32k.sys file from quarantine

    Customers who have their settings for Quarantine, but have shut down or restarted the endpoint will be in a bad state and will have to restore the OS.

    Mitigation if the win32k.sys is in quarantine and the systems have been shut down or restarted:

        
    1. Update the L.E.M.S.S. server’s definitions to 7.1.1368173351 or higher
    2.   
    3. Boot from MS Vista or post-Vista OS CD
    4.   
    5. Click on the repair your computer option > Next > Open command Prompt
    6.   
    7. Copy the win32k.sys from quarantine (e.g., C:\Documents and Settings\All Users\Application Data\HEATsoftware\LMAgent\Data\persist\AV\quarantine\win32k.sys ) to C:\Windows\System32\ and C:\Windows\System32\dllCache\
    8.   
    9. Delete engine and definitions from systems (e.g., C:\Documents and Settings\All Users\Application Data\HEATsoftware\LMAgent\Data\persist\AV\ScanEngine)
    10.   
    11. Reboot

    Customers who have their settings to Delete will experience a bad state and will have to restore the OS.

    If win32k.sys is deleted:

        
    1. Update the L.E.M.S.S. server’s definitions to 7.1.1368173351 or higher
    2.   
    3. Prepare a win32k.sys (this file can be extracted from an XP OS CD)
    4.   
    5. Boot from MS Vista or post-Vista OS CD
    6.   
    7. Click on the repair your computer option > Next > Open command Prompt
    8.   
    9. Copy the prepared file win32k.sys to C:\Windows\System32\ and C:\Windows\ System32\ dllCache\
    10.   
    11. Delete engine and definitions from e.g. C:\Documents and Settings\All Users\Application Data\HEATsoftware\LMAgent\Data\persist\AV\ScanEngine
    12.   
    13. Reboot

    If you have experienced this issue, or find the virus detected, please contact HEATsoftware Support using the Customer Portal, or by sending an email to support@HEATsoftware.com.