Skip navigation
4017 Views 7 Replies Latest reply: Aug 10, 2011 11:24 PM by Dave Holland RSS
Rookie 6 posts since
Oct 8, 2009

Has received 1 of 9 achievements.
Currently Being Moderated

Jan 21, 2011 1:43 PM

Malware.Genotype on autofix deleted a valid program

This being on autofix in LANDesk v9 SP2 deleted a valid program "toad.exe," on 20 computers and we add to reinstall.

 

Since this issue has been reported in various forums - why doesn't LANDesk alert more of their customers on this potential issue?

  • sandman87 Apprentice 52 posts since
    Apr 3, 2009

    Has received 2 of 9 achievements.

    Same here.... Just wanted to say thanks for posting this, it confirmed my suspicions. Removed toad from several machines here too. Guess I should be more careful in setting these malware definitions to autofix, though they should already be tested in my opinion to weed out most problems. 

  • aymeric Rookie 5 posts since
    Feb 25, 2008

    Has received 1 of 9 achievements.

    +1

    This spyware def has deleted our toad.exe and lot of other .dll and .ocx on all of our computers !!!

     

    I removed it from scan but maybe too late !

  • tanner SupportEmployee 155 posts since
    Jun 4, 2008

    Has received 5 of 9 achievements.

    For anyone experiencing problems with spyware detection, I would recommend the following:

    • Zip up the file that having problems, either as a false positive, or not getting detected
    • Password protect the zip with the password 'infected'
    • Upload the file to ftp.landesk.com/spyware
    • Open a case with LANDesk. Let them know the name of the file and how the detection isn't working.

     

    From there we can work to improve the spyware detection in LANDesk.

     

    Take a look at Process for submitting requests for Spyware Content:

     

    Also, a special note for the Genotype definition:

    This is a "catch-all" sort of definition. It is intended to analyze the file, its behaviors or other characteristics to determine if it is malicious. The primary purpose it to catch spyware early that doesn't yet have a specific definition. Because of this nature, it is usually where we occationally see "false-positives" as you are describing here.

     

    The recommendation for this definition is to not set it to Autofix. That way it can scan and notify you of potential concerns, but not act on them. You can review the report of detected files and take (or not take) appropriate action.

  • Rookie 8 posts since
    May 8, 2009

    Has received 1 of 9 achievements.

    Just happened to us for the 2nd time in 3 months.  Since its obviously a flase-positive on toad.exe that has been reported previously, why is this still an issue?

  • Dave Holland SupportEmployee 801 posts since
    Jan 8, 2008

    Has received 9 of 9 achievements.

    The Malware.Genotype detection is rather heavy-handed and must be used with caution, as you have seen in other threads.

     

    Typically the vulscan.log that was populated at the time of the spyware scan will contain details about the specific files that were seen as "infected".

     

    A common file to be deleted are Internet Tracking cookies.

     

    In this case the vulscan log will show something like this:

     

    Infection found of (family: Malware.Genotype) with family id 0, item id 408921. Reason - type-cookie, description-*adserv*, category-Privacy Object
    Infection found.

     

    A newer version of CEAPI.DLL (part of the Spyware scanning engine) is included in the April Patch Manager MCP available here:

     

    http://community.landesk.com/support/docs/DOC-22561

     

    The newer CEAPI.DLL resolves issues with the Malware.Genotype definition incorrectly detecting innocous files as being infected.

     

    LANDesk Antispyware uses the Lavasoft engine.

     

    Here is some detailed information about the Malware.Genotype definition and how it works.

     

    http://www.lavasoft.com/products/ad_aware_genotype.php

     

    I hope this helps.

More Like This

  • Retrieving data ...

Bookmarked By (2)

Legend

  • Correct Answers - 20 points
  • Helpful Answers - 10 points
LANDESK Community powered by Jive SBS® 4.5.7.1  |  Legal Notices  |  Privacy Policy  |  Icon 

TweeterOn Twitter  |  Icon FacebookOn Facebook © 2007 LANDESK Software