I love incidents caused by false positives in antivirus products. Its frustrating enough that they don't detect legitimate threats, but when they delete legitimate files its just a waste of time and energy.
Today I handled an incident where 10% of an organizations machines detected ESUGRemoteSvc.exe as a Trojan..
2008-09-19 17:13:48;2008-09-19 17:23:42;Real Time Scan;LOGGER_Real_Time;1;Virus found;Trojan Horse;1;"C:/WINDOWS/system32/ESUG/ESUGRemoteSvc.exe";Quarantined;
Fire up the IRT engine. Gather samples, run it in a isolated machine to watch it behavior, submit it to virustotal.com and Normans Sandbox, pull it apart with Immunity Debugger, but the thing looks legit. No machines are scanning the network or making TCP connections to an unusual number of hosts, but it appeared to be spreading. So what is this evil program? ITS SYMANTECS OWN ADMIN TOOL!!! ESUG stands for "Enterprise Support Utilities Group"
A call to Symantec confirmed it was a false positive. Thanks for the friday afternoon excitement.
Today I handled an incident where 10% of an organizations machines detected ESUGRemoteSvc.exe as a Trojan..
2008-09-19 17:13:48;2008-09-19 17:23:42;Real Time Scan;LOGGER_Real_Time;1;Virus found;Trojan Horse;1;"C:/WINDOWS/system32/ESUG/ESUGRemoteSvc.exe";Quarantined;
Fire up the IRT engine. Gather samples, run it in a isolated machine to watch it behavior, submit it to virustotal.com and Normans Sandbox, pull it apart with Immunity Debugger, but the thing looks legit. No machines are scanning the network or making TCP connections to an unusual number of hosts, but it appeared to be spreading. So what is this evil program? ITS SYMANTECS OWN ADMIN TOOL!!! ESUG stands for "Enterprise Support Utilities Group"
A call to Symantec confirmed it was a false positive. Thanks for the friday afternoon excitement.