There is an SSFLWBOX.SCR file in the LDLOGON directory on the Core (just checked my 9.6 SP2 one) if you're after it.
It's not mentioned in the agent-config .INI file, so I'm not 100% sure how it ends up going down on the client ...
my problem is why is a Windows 95 era screen saver suddenly appearing on random computers and a few servers? landesk can detect whether or not you have a screensaver password. this feature was about cause LDMS to be the culprit but i just felt like that was not the answer.
this appearance kind of coincides with some IE script errors that my colleagues are having. this follows some windows update that apparently happened a few weeks back. i only just now realized what people were talking about when they said they got a screensaver when they did not initially setup one. i have been instructing my technicians to delete the screensaver and change screen saver settings. if anyone knows anything, i am all ears.
I would be worried about a virus infection. This file should not show up on the core or on clients.
Please upload the .SCR file to http://www.virustotal.com to be examined.
I have the latest definitions downloaded and I do not have this .SCR file on my core server in any directory.
What version is your Core and has it been upgraded at all? Also check you agent settings section and go to Custom variable override settings and Show only definitions of Type: Security Threats (all items) and see if you have any check boxes set to Override and what they are set to. Just to verify this is not setting anything it shouldn't.
I've seen that SCR file in both v2016 and 9.6 ... I'll try to hunt down which update(s) it comes from ... it'll give a better venue to try & track down who "owns" that file / how it got there. It is surprising in its presence, I'll admit.
Will try to crack open a bunch of things when I'm not on the road & have a breather (hopefully a little later this week *fingers crossed*).
Has anyone uploaded this .SCR file to http://www.virustotal.com to ensure this is safe? I still have not seen a response on this.
I have searched our entire build server here at LANDESK and have not found a single instance of this file.
In addition I have not found a single instance of this file in our patch directory that contains all of the patches for our products.
I would urge you guys to upload it to virustotal and also to do a virus scan of your systems.
- LANDesk Management Suite 9.6 SP2 and May CP's installed. SHA-256 of the patch is ==> 0d3e10a1f6ae810e847d72f85d198046509662ba386c68a551ac9ab64fe435c1
Detections: 0/53 (probably harmless). Points of peculiar note - it has a "Symantec Reputation" of Suspicious.Insight - which links to this page here (not much to get worried about):
- LANDesk Management Suite 2016 with SU 4 installed ... SHA-256 of the patch is ==> 0d3e10a1f6ae810e847d72f85d198046509662ba386c68a551ac9ab64fe435c1
... I can throw copies of both VM's up for someone to have a look at if for some weird reason none of your folks end up having that file in their LDLOGON directories Dave?
Still not had time to crack open / trawl through the various patches to see if any of them put the screensaver from 1999 down .
<Also - still no idea how on earth some file in LDLOGON that doesn't make up the agent ended up on a client ... that part is quite odd>
1 of 1 people found this helpful
I searched our entire patch server for the filename and did not find it existing anywhere there.
again, this file popped up and coincides with a number of things that transpired recently. just today another colleague pointed out some "programs" in the add/remove section that were labeled CVE-2014-XXXX that were related to internet explorer zero-day vulnerabilities. it is most likely that we had been hit with something like that, and appeared on a number of computers. i think that number is <100 out of a potential 3000. i'm happy that they are not high numbers, but not happy that we got hit with something. i have my plan and am about to put it into action. thank you all.
I just ran into this on a fresh install, new customer, 2016.3 SU3 core. The only devices that this ssflwbox.scr appears on are devices that have had LDAV deployed to them via the vulscan.exe /installav methodology. Additionally these machines were not allowing users to login until the administrators added their specific GPOs to the "logon local" local policy on the devices in question, effectively locking out the users until that time.
that is a similar thing that has happened on our end. we are still using LDMS 9.6 though.
i decided to set up a scheduled task on the LDMS server to delete the ssflwbox.scr file every 4 hours and log the delete time. it continuously appears around 11pm every night. if i check the log file in the morning, it shows that it was updated/changed/edited the previous night. since creating this, i have not had as many people reporting those similar GPO issues.
1 of 1 people found this helpful
So the LDAV install was a red herring, it just happened to have coincided with another task that ran when vulscan was called which installed an Ivanti Content Security Threat ST000202. If you have installed ST00202 it may be the culprit. There is no uninstall logic in ST000202 so you will have to reverse engineer the install to clean it up. Once we did this we were able to resolve of this situation.
i do not recall purposely installing that, so i am unsure of where to find it. can you elaborate a little more please?
In your console go to Patch and Compliance, from the dropdown in the upper left select "Security Threats" then check to see if ST000202 is set to Scan and Autofix. If it is not then your situation may vary from what we experienced.