I just receive on all of my client, just after the distribution of the 88 SP2 agent, that "softmon.exe" is considere as a virus by LANdesk antivirus. (BackDoor.Win32.IRCBoot.gen)
Now all softmon.exe on my client have been in the quarantaine folder or deleted....
This is a false positive and is being worked on to be resolved. This is just on the latest definition files. If the option to back up definition files has been selected you can revert back on set of def files until it is resolved.
This is currently being addressed. Kaspersky should have this false detection resolved in the next hour or so. You can roll the definitions back to the latest backup to resolve this issue until the definitions are fixed. This is only affecting the the 22.214.171.124 version of Softmon.exe, which is the SP2 version.
Thanks for your answer. I just read your post 5 sec after publish mine ;-))
The patern has been restored from backup and we are waiting for resolution...
Keep up to date
It looks like my virus definition backups aren't current. The option to keep backups is checked and set to keep 10 backups, but the dates of the backups are all from 3/14/2008.
Is this something anyone has seen before, any ideas?
In the meantime I guess I have to wait for the new updates so I can see if it fixes the softmon.exe problem...
I personally haven't seen this issue regarding AV Pattern file backups. I would recommend contacting LANDesk Support and opening a case. We can post the results of that investigation here.
I haven't really looked at that option for awhile so I didn't realize it wasn't backing them up correctly.
I already opened a call on the softmon.exe problem, and found that I couldn't roll back... I will follow up on this issue once the main problem gets fixed.
Kaspersky has been working on this issue for a while. We have been told that the definitions to resolve this shoud be in the next definition release, which should happen in the next few hours.
Not according to my latest information. We were given a candidate that should've resolved it, but turned out that it didn't, so we continuing to work closely with Kaskersky on this.
The moment we have a healthy AV-definition, we'll post information here, don't worry :).
LANDesk EMEA Technical Lead
My tests with the new content showed that it would detect SOFTMON.EXE as a virus (incorrectly, of course) in ram, but not when running a file scan against the file on the hard disk.
My tests involved copying softmon.exe from the core server’s ldlogon share to the clients local hard disk. During the transfer LDAV would intercept the file, not allow it to be copied down, and then report “Virus Removed”.
Kaspersky has confirmed this behavior and are still researching this issue.
Their typical response time for a false positive is ½ hour to an hour, however they report that this is far more complicated as it seems to have affected a large number of database records and has required fixing a large number of pattern files. Also they are researching the behavior of the false positive being detected in ram, but not during a file scan.
The latest definitions as of 6:40am this morning (the time on the core server, or 3:11am on the client) seems to be resolving this issue.
What about an exclusion of "Softmon.exe" in the Antivirus Settings??
Would that work? How would we push that out once we change the seting??
Please respond quickly, we are getting many many calls.
I see no reason that this wouldn't work.
The latest content appears to be resolving this issue.
I would download the latest content on your core server.
Try the latest content on a few clients that are having the issue.
If it works you can create a script to update your clients to the latest AV Content.
See this document for further information:
On our core server (8.8 SP2) the AV defenition shows 9./25/2008 8:18am.... but after the push to the clients the client computers show:
Virus Definitions: 9/25/2008 4:58am (GMT +3)
What the heck? Even allowing for the time zone foolishness, how do you get from 8:18 on the server to 4:58am on the client?? THESE HAVE TO MATCH for us to be able to determine what's been pushed!!!