6 Replies Latest reply on Aug 16, 2011 10:54 AM by rictersmith

    Spyware Scanning regardless of Autofix ON???

    rictersmith Specialist

      We are investigating a number of devices with severe slowness. We have LD9 SP2 with the latest patches.

       

      It seems like softmon is bogging things down. From the logs we see the following:

       

      Mon, 15 Aug 2011 16:44:29   2812 Find and remove spyware with process id - 3572, path - C:\WINDOWS\system32\wbem\wmiprvse.exe...
      Mon, 15 Aug 2011 16:44:29   2812 ScanProcess process id: 3572, path: C:\WINDOWS\system32\wbem\wmiprvse.exe
      Mon, 15 Aug 2011 16:44:29   2812 Scan process: 3572...
      Mon, 15 Aug 2011 16:44:32   2812 No spyware found.
      Mon, 15 Aug 2011 16:44:32   2812 Ceapi scanning process...Done.
      Mon, 15 Aug 2011 16:44:32   2812
      Mon, 15 Aug 2011 16:44:32   2812 Find and remove spyware with process id - 3640, path - C:\WINDOWS\system32\mqsvc.exe...
      Mon, 15 Aug 2011 16:44:32   2812 ScanProcess process id: 3640, path: C:\WINDOWS\system32\mqsvc.exe
      Mon, 15 Aug 2011 16:44:32   2812 Scan process: 3640...
      Mon, 15 Aug 2011 16:44:35   2812 No spyware found.
      Mon, 15 Aug 2011 16:44:35   2812 Ceapi scanning process...Done.
      Mon, 15 Aug 2011 16:44:35   2812
      Mon, 15 Aug 2011 16:44:38   2812
      Mon, 15 Aug 2011 16:44:38   2812 Find and remove spyware with process id - 3920, path - C:\Program Files\Trend Micro\OfficeScan Client\TmListen.exe...
      Mon, 15 Aug 2011 16:44:38   2812 ScanProcess process id: 3920, path: C:\Program Files\Trend Micro\OfficeScan Client\TmListen.exe
      Mon, 15 Aug 2011 16:44:38   2812 Scan process: 3920...
      Mon, 15 Aug 2011 16:44:41   2812 No spyware found.
      Mon, 15 Aug 2011 16:44:41   2812 Ceapi scanning process...Done.
      Mon, 15 Aug 2011 16:44:41   2812
      Mon, 15 Aug 2011 16:44:41   2812 Find and remove spyware with process id - 2612, path - C:\WINDOWS\system32\mqtgsvc.exe...
      Mon, 15 Aug 2011 16:44:41   2812 ScanProcess process id: 2612, path: C:\WINDOWS\system32\mqtgsvc.exe
      Mon, 15 Aug 2011 16:44:41   2812 Scan process: 2612...
      Mon, 15 Aug 2011 16:44:43   2812 No spyware found.
      Mon, 15 Aug 2011 16:44:43   2812 Ceapi scanning process...Done.
      Mon, 15 Aug 2011 16:44:43   2812
      Mon, 15 Aug 2011 16:44:43   2812 Find and remove spyware with process id - 3244, path - C:\WINDOWS\system32\svchost.exe...
      Mon, 15 Aug 2011 16:44:43   2812 ScanProcess process id: 3244, path: C:\WINDOWS\system32\svchost.exe
      Mon, 15 Aug 2011 16:44:43   2812 Scan process: 3244...
      Mon, 15 Aug 2011 16:44:44   2812 No spyware found.
      Mon, 15 Aug 2011 16:44:44   2812 Ceapi scanning process...Done.
      Mon, 15 Aug 2011 16:44:44   2812
      Mon, 15 Aug 2011 16:44:44   2812 Find and remove spyware with process id - 3780, path - C:\WINDOWS\system32\ati2evxx.exe...
      Mon, 15 Aug 2011 16:44:44   2812 ScanProcess process id: 3780, path: C:\WINDOWS\system32\ati2evxx.exe
      Mon, 15 Aug 2011 16:44:44   2812 Scan process: 3780...
      Mon, 15 Aug 2011 16:44:45   2812 No spyware found.
      Mon, 15 Aug 2011 16:44:45   2812 Ceapi scanning process...Done.
      Mon, 15 Aug 2011 16:44:45   2812
      Mon, 15 Aug 2011 16:44:45   2812 Find and remove spyware with process id - 1372, path - C:\WINDOWS\system32\alg.exe...
      Mon, 15 Aug 2011 16:44:45   2812 ScanProcess process id: 1372, path: C:\WINDOWS\system32\alg.exe
      Mon, 15 Aug 2011 16:44:45   2812 Scan process: 1372...
      Mon, 15 Aug 2011 16:44:47   2812 No spyware found.
      Mon, 15 Aug 2011 16:44:47   2812 Ceapi scanning process...Done.
      Mon, 15 Aug 2011 16:44:47   2812
      Mon, 15 Aug 2011 16:44:47   2812 Find and remove spyware with process id - 2744, path - C:\Program Files\LANDesk\LDClient\rcgui.exe...
      Mon, 15 Aug 2011 16:44:47   2812 ScanProcess process id: 2744, path: C:\Program Files\LANDesk\LDClient\rcgui.exe
      Mon, 15 Aug 2011 16:44:47   2812 Scan process: 2744...
      Mon, 15 Aug 2011 16:44:48   2812 No spyware found.
      Mon, 15 Aug 2011 16:44:48   2812 Ceapi scanning process...Done.
      Mon, 15 Aug 2011 16:44:48   2812
      Mon, 15 Aug 2011 16:44:48   2812 Find and remove spyware with process id - 3004, path - C:\Program Files\Citrix\ICA Client\ssonsvr.exe...
      Mon, 15 Aug 2011 16:44:48   2812 ScanProcess process id: 3004, path: C:\Program Files\Citrix\ICA Client\ssonsvr.exe
      Mon, 15 Aug 2011 16:44:48   2812 Scan process: 3004...
      Mon, 15 Aug 2011 16:44:50   2812 No spyware found.
      Mon, 15 Aug 2011 16:44:50   2812 Ceapi scanning process...Done.
      Mon, 15 Aug 2011 16:44:50   2812
      Mon, 15 Aug 2011 16:44:50   2812 Find and remove spyware with process id - 2824, path - C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe...
      Mon, 15 Aug 2011 16:44:50   2812 ScanProcess process id: 2824, path: C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
      Mon, 15 Aug 2011 16:44:50   2812 Scan process: 2824...
      Mon, 15 Aug 2011 16:44:51   2812 No spyware found.
      Mon, 15 Aug 2011 16:44:51   2812 Ceapi scanning process...Done.
      Mon, 15 Aug 2011 16:44:51   2812
      Mon, 15 Aug 2011 16:44:51   2812 Find and remove spyware with process id - 4064, path - C:\Program Files\Trend Micro\BM\TMBMSRV.exe...
      Mon, 15 Aug 2011 16:44:51   2812 ScanProcess process id: 4064, path: C:\Program Files\Trend Micro\BM\TMBMSRV.exe
      Mon, 15 Aug 2011 16:44:51   2812 Scan process: 4064...
      Mon, 15 Aug 2011 16:44:53   2812 No spyware found.

       

      Our agent is configured to enable realtime spyware scanning, however we do not have a single definition with autofix on at the moment. Our understanding is realtime scanning relies on autofix ON per definition.

       

      Are we reading the log files wrong or is spyware scanning occuring regardless of the definitions not having been turned on yet.