Skip navigation
1 2 Previous Next 15516 Views 17 Replies Latest reply: Sep 25, 2008 11:27 AM by Dave Holland RSS
Lionel Apprentice 162 posts since
Dec 15, 2007

Has received 1 of 9 achievements.
Currently Being Moderated

Sep 24, 2008 8:36 AM

LDAV softmon.exe = Virus

Hi,

 

I just receive on all of my client, just after the distribution of the 88 SP2 agent, that "softmon.exe" is considere as a virus by LANdesk antivirus. (BackDoor.Win32.IRCBoot.gen)

Now all softmon.exe on my client have been in the quarantaine folder or deleted....

 

Any comment?

 

Lionel

Attachments:
  • Expert 148 posts since
    Nov 27, 2007

    Has received 5 of 9 achievements.
    Currently Being Moderated
    1. Sep 24, 2008 8:44 AM (in response to Lionel)
    Re: LDAV softmon.exe = Virus

    This is a false positive and is being worked on to be resolved.  This is just on the latest definition files.  If the option to back up definition files has been selected you can revert back on set of def files until it is resolved.

  • Maddawg SupportEmployee 11 posts since
    Dec 13, 2007

    Has received 1 of 9 achievements.
    Currently Being Moderated
    2. Sep 24, 2008 8:45 AM (in response to Lionel)
    Re: LDAV softmon.exe = Virus

    This is currently being addressed.  Kaspersky should have this false detection resolved in the next hour or so.  You can roll the definitions back to the latest backup to resolve this issue until the definitions are fixed.  This is only affecting the the 8.80.2.8 version of Softmon.exe, which is the SP2 version.  

    Chuck

  • GaryJohnson Apprentice 68 posts since
    Dec 17, 2007

    Has received 1 of 9 achievements.
    Currently Being Moderated
    4. Sep 24, 2008 9:02 AM (in response to rmoffitt)
    Re: LDAV softmon.exe = Virus

    It looks like my virus definition backups aren't current.  The option to keep backups is checked and set to keep 10 backups, but the dates of the backups are all from 3/14/2008.

    Is this something anyone has seen before, any ideas?

     

    In the meantime I guess I have to wait for the new updates so I can see if it fixes the softmon.exe problem...

  • Dave Holland SupportEmployee 802 posts since
    Jan 8, 2008

    Has received 9 of 9 achievements.
    Currently Being Moderated
    5. Sep 24, 2008 9:04 AM (in response to GaryJohnson)
    Re: LDAV softmon.exe = Virus

    Gary,

     

    I personally haven't seen this issue regarding AV Pattern file backups.   I would recommend contacting LANDesk Support and opening a case.   We can post the results of that investigation here.

  • GaryJohnson Apprentice 68 posts since
    Dec 17, 2007

    Has received 1 of 9 achievements.
    Currently Being Moderated
    6. Sep 24, 2008 9:16 AM (in response to Dave Holland)
    Re: LDAV softmon.exe = Virus

    I haven't really looked at that option for awhile so I didn't realize it wasn't backing them up correctly.

     

    I already opened a call on the softmon.exe problem, and found that I couldn't roll back... I will follow up on this issue once the main problem gets fixed.

  • Maddawg SupportEmployee 11 posts since
    Dec 13, 2007

    Has received 1 of 9 achievements.
    Currently Being Moderated
    7. Sep 24, 2008 1:42 PM (in response to Lionel)
    Re: LDAV softmon.exe = Virus

    Kaspersky has been working on this issue for a while.  We have been told that the definitions to resolve this shoud be in the next definition release, which should happen in the next few hours.

    Chuck

  • ale.badin Apprentice 22 posts since
    Jan 18, 2008

    Has received 1 of 9 achievements.
    Currently Being Moderated
    8. Sep 25, 2008 2:35 AM (in response to Maddawg)
    Re: LDAV softmon.exe = Virus

    Has a fixed definition been published yet?

  • phoffmann SupportEmployee 2,643 posts since
    Dec 11, 2007

    Has received 7 of 9 achievements.
    Currently Being Moderated
    9. Sep 25, 2008 3:10 AM (in response to ale.badin)
    Re: LDAV softmon.exe = Virus

    Not according to my latest information. We were given a candidate that should've resolved it, but turned out that it didn't, so we continuing to work closely with Kaskersky on this.

     

    The moment we have a healthy AV-definition, we'll post information here, don't worry :).

     

    Paul Hoffmann

    LANDesk EMEA Technical Lead

  • Dave Holland SupportEmployee 802 posts since
    Jan 8, 2008

    Has received 9 of 9 achievements.
    Currently Being Moderated
    10. Sep 25, 2008 8:23 AM (in response to Lionel)
    Re: LDAV softmon.exe = Virus

     

    My tests with the new content showed that it would detect SOFTMON.EXE as a virus (incorrectly, of course) in ram, but not when running a file scan against the file on the hard disk.

     

    My tests involved copying softmon.exe from the core server’s ldlogon share to the clients local hard disk.   During the transfer LDAV would intercept the file, not allow it to be copied down, and then report “Virus Removed”.

     

    Kaspersky has confirmed this behavior and are still researching this issue.    

     

    Their typical response time for a false positive is ½ hour to an hour, however they report that this is far more complicated as it seems to have affected a large number of database records and has required fixing a large number of pattern files.    Also they are researching the behavior of the false positive being detected in ram, but not during a file scan.

     

    The latest definitions as of 6:40am this morning (the time on the core server, or 3:11am on the client) seems to be resolving this issue.

  • Apprentice 153 posts since
    Dec 17, 2007

    Has received 1 of 9 achievements.
    Currently Being Moderated
    11. Sep 25, 2008 9:08 AM (in response to Lionel)
    Re: LDAV softmon.exe = Virus

    What about an exclusion of "Softmon.exe" in the Antivirus Settings??

     

    Would that work?  How would we push that out once we change the seting??

     

    Please respond quickly, we are getting many many calls.  

     

    -B  

  • Dave Holland SupportEmployee 802 posts since
    Jan 8, 2008

    Has received 9 of 9 achievements.
    Currently Being Moderated
    12. Sep 25, 2008 9:10 AM (in response to fribergb)
    Re: LDAV softmon.exe = Virus

    I see no reason that this wouldn't work.

     

    The latest content appears to be resolving this issue.

     

    I would download the latest content on your core server.

     

    Try the latest content on a few clients that are having the issue.

     

    If it works you can create a script to update your clients to the latest AV Content.

     

    See this document for further information:

     

    http://community.landesk.com/support/docs/DOC-3307

  • Apprentice 153 posts since
    Dec 17, 2007

    Has received 1 of 9 achievements.
    Currently Being Moderated
    13. Sep 25, 2008 9:18 AM (in response to Dave Holland)
    Re: LDAV softmon.exe = Virus

    OK, trying now...

     

    -B

  • Apprentice 153 posts since
    Dec 17, 2007

    Has received 1 of 9 achievements.
    Currently Being Moderated
    14. Sep 25, 2008 10:05 AM (in response to Dave Holland)
    Re: LDAV softmon.exe = Virus

    On our core server (8.8 SP2) the AV defenition shows 9./25/2008 8:18am.... but after the push to the clients the client computers show:

     

    Virus Definitions: 9/25/2008 4:58am (GMT +3)

     

    What the heck?   Even allowing for the time zone foolishness, how do you get from 8:18 on the server to 4:58am on the client??   THESE HAVE TO MATCH for us to be able to determine what's been pushed!!!

     

    -B   

1 2 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 20 points
  • Helpful Answers - 10 points
LANDESK Community powered by Jive SBS® 4.5.7.1  |  Legal Notices  |  Privacy Policy  |  Icon 

TweeterOn Twitter  |  Icon FacebookOn Facebook © 2007 LANDESK Software