1 2 Previous Next 17 Replies Latest reply: Sep 25, 2008 11:27 AM by LANDave RSS

    LDAV softmon.exe = Virus

    Lionel Apprentice

      Hi,

       

      I just receive on all of my client, just after the distribution of the 88 SP2 agent, that "softmon.exe" is considere as a virus by LANdesk antivirus. (BackDoor.Win32.IRCBoot.gen)

      Now all softmon.exe on my client have been in the quarantaine folder or deleted....

       

      Any comment?

       

      Lionel

        • 1. Re: LDAV softmon.exe = Virus
          Expert

          This is a false positive and is being worked on to be resolved.  This is just on the latest definition files.  If the option to back up definition files has been selected you can revert back on set of def files until it is resolved.

          • 2. Re: LDAV softmon.exe = Virus
            Maddawg SupportEmployee

            This is currently being addressed.  Kaspersky should have this false detection resolved in the next hour or so.  You can roll the definitions back to the latest backup to resolve this issue until the definitions are fixed.  This is only affecting the the 8.80.2.8 version of Softmon.exe, which is the SP2 version.  

            Chuck

            • 3. Re: LDAV softmon.exe = Virus
              Lionel Apprentice

              Hi,

               

              Thanks for your answer. I just read your post 5 sec after publish mine ;-))

               

              The patern has been restored from backup and we are waiting for resolution...

               

              Keep up to date

              Regards

              Lionel

              • 4. Re: LDAV softmon.exe = Virus
                Apprentice

                It looks like my virus definition backups aren't current.  The option to keep backups is checked and set to keep 10 backups, but the dates of the backups are all from 3/14/2008.

                Is this something anyone has seen before, any ideas?

                 

                In the meantime I guess I have to wait for the new updates so I can see if it fixes the softmon.exe problem...

                • 5. Re: LDAV softmon.exe = Virus
                  LANDave SupportEmployee

                  Gary,

                   

                  I personally haven't seen this issue regarding AV Pattern file backups.   I would recommend contacting LANDesk Support and opening a case.   We can post the results of that investigation here.

                  • 6. Re: LDAV softmon.exe = Virus
                    Apprentice

                    I haven't really looked at that option for awhile so I didn't realize it wasn't backing them up correctly.

                     

                    I already opened a call on the softmon.exe problem, and found that I couldn't roll back... I will follow up on this issue once the main problem gets fixed.

                    • 7. Re: LDAV softmon.exe = Virus
                      Maddawg SupportEmployee

                      Kaspersky has been working on this issue for a while.  We have been told that the definitions to resolve this shoud be in the next definition release, which should happen in the next few hours.

                      Chuck

                      • 8. Re: LDAV softmon.exe = Virus
                        ale.badin Apprentice

                        Has a fixed definition been published yet?

                        • 9. Re: LDAV softmon.exe = Virus
                          phoffmann SupportEmployee

                          Not according to my latest information. We were given a candidate that should've resolved it, but turned out that it didn't, so we continuing to work closely with Kaskersky on this.

                           

                          The moment we have a healthy AV-definition, we'll post information here, don't worry :).

                           

                          Paul Hoffmann

                          LANDesk EMEA Technical Lead

                          • 10. Re: LDAV softmon.exe = Virus
                            LANDave SupportEmployee

                             

                            My tests with the new content showed that it would detect SOFTMON.EXE as a virus (incorrectly, of course) in ram, but not when running a file scan against the file on the hard disk.

                             

                            My tests involved copying softmon.exe from the core server’s ldlogon share to the clients local hard disk.   During the transfer LDAV would intercept the file, not allow it to be copied down, and then report “Virus Removed”.

                             

                            Kaspersky has confirmed this behavior and are still researching this issue.    

                             

                            Their typical response time for a false positive is ½ hour to an hour, however they report that this is far more complicated as it seems to have affected a large number of database records and has required fixing a large number of pattern files.    Also they are researching the behavior of the false positive being detected in ram, but not during a file scan.

                             

                            The latest definitions as of 6:40am this morning (the time on the core server, or 3:11am on the client) seems to be resolving this issue.

                            • 11. Re: LDAV softmon.exe = Virus
                              Apprentice

                              What about an exclusion of "Softmon.exe" in the Antivirus Settings??

                               

                              Would that work?  How would we push that out once we change the seting??

                               

                              Please respond quickly, we are getting many many calls.  

                               

                              -B  

                              • 12. Re: LDAV softmon.exe = Virus
                                LANDave SupportEmployee

                                I see no reason that this wouldn't work.

                                 

                                The latest content appears to be resolving this issue.

                                 

                                I would download the latest content on your core server.

                                 

                                Try the latest content on a few clients that are having the issue.

                                 

                                If it works you can create a script to update your clients to the latest AV Content.

                                 

                                See this document for further information:

                                 

                                http://community.landesk.com/support/docs/DOC-3307

                                • 13. Re: LDAV softmon.exe = Virus
                                  Apprentice

                                  OK, trying now...

                                   

                                  -B

                                  • 14. Re: LDAV softmon.exe = Virus
                                    Apprentice

                                    On our core server (8.8 SP2) the AV defenition shows 9./25/2008 8:18am.... but after the push to the clients the client computers show:

                                     

                                    Virus Definitions: 9/25/2008 4:58am (GMT +3)

                                     

                                    What the heck?   Even allowing for the time zone foolishness, how do you get from 8:18 on the server to 4:58am on the client??   THESE HAVE TO MATCH for us to be able to determine what's been pushed!!!

                                     

                                    -B   

                                    1 2 Previous Next