We have been rolling out Kaspersky Workstation 6.0.4.1212 to all of our company computers to update the previously installed 6.0.3.837. We have been using the Admin Kit to push the packages to all of our remote clients. Upon rebooting each client after the install, I am receiving these alerts from each one:
Product: Kaspersky Anti-Virus 6.0 for Windows Workstations Version 6.0.4.1212 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Computer: DMYER-D510
Domain: MYDOMAIN
Notifications:
Critical: 10/28/2009 10:35:59 AM Process C:\WINDOWS\system32\winlogon.exe (PID: 928): suspicious action. Process is trying to write list of modules executed during system startup (key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B087BE9D-ED37-454f-AF9C-04291E351182}, value: RsopStatus, data: 0x004cefc8 (5042120)).
and
Product: Kaspersky Anti-Virus 6.0 for Windows Workstations Version 6.0.4.1212 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Computer: SCOY-D620
Domain: MYDOMAIN
Notifications:
Critical: 10/28/2009 8:33:43 AM Process C:\Program Files\UPHClean\uphclean.exe (PID: 196): suspicious action. Process is trying to write list of system services (key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\uphcleanhlp, value: ImagePath, data: \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys).
I also received these messages when we originally pushed 6.0.3.837 but I did not worry about them at the time. It's just getting old and I was wondering if there was something I could do to prevent the events from happening.
Thanks
-Chris
QUOTE(Chris Thomas @ 28.10.2009 14:42) 
We have been rolling out Kaspersky Workstation 6.0.4.1212 to all of our company computers to update the previously installed 6.0.3.837. We have been using the Admin Kit to push the packages to all of our remote clients. Upon rebooting each client after the install, I am receiving these alerts from each one:
Product: Kaspersky Anti-Virus 6.0 for Windows Workstations Version 6.0.4.1212 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Computer: DMYER-D510
Domain: MYDOMAIN
Notifications:
Critical: 10/28/2009 10:35:59 AM Process C:\WINDOWS\system32\winlogon.exe (PID: 928): suspicious action. Process is trying to write list of modules executed during system startup (key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B087BE9D-ED37-454f-AF9C-04291E351182}, value: RsopStatus, data: 0x004cefc8 (5042120)).
and
Product: Kaspersky Anti-Virus 6.0 for Windows Workstations Version 6.0.4.1212 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Computer: SCOY-D620
Domain: MYDOMAIN
Notifications:
Critical: 10/28/2009 8:33:43 AM Process C:\Program Files\UPHClean\uphclean.exe (PID: 196): suspicious action. Process is trying to write list of system services (key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\uphcleanhlp, value: ImagePath, data: \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys).
I also received these messages when we originally pushed 6.0.3.837 but I did not worry about them at the time. It's just getting old and I was wondering if there was something I could do to prevent the events from happening.
Thanks
-Chris
Product: Kaspersky Anti-Virus 6.0 for Windows Workstations Version 6.0.4.1212 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Computer: DMYER-D510
Domain: MYDOMAIN
Notifications:
Critical: 10/28/2009 10:35:59 AM Process C:\WINDOWS\system32\winlogon.exe (PID: 928): suspicious action. Process is trying to write list of modules executed during system startup (key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B087BE9D-ED37-454f-AF9C-04291E351182}, value: RsopStatus, data: 0x004cefc8 (5042120)).
and
Product: Kaspersky Anti-Virus 6.0 for Windows Workstations Version 6.0.4.1212 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Computer: SCOY-D620
Domain: MYDOMAIN
Notifications:
Critical: 10/28/2009 8:33:43 AM Process C:\Program Files\UPHClean\uphclean.exe (PID: 196): suspicious action. Process is trying to write list of system services (key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\uphcleanhlp, value: ImagePath, data: \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys).
I also received these messages when we originally pushed 6.0.3.837 but I did not worry about them at the time. It's just getting old and I was wondering if there was something I could do to prevent the events from happening.
Thanks
-Chris
1. Add in template of email notification in AK macro of task name.
2. This events from Proactive Defense\ Registry guard module.
If you have turn it on by default it have rules to monitor: allow and report about all attempts to modify important system registry keys.
so if you plan to use this component better create appropriate rules for good applications
QUOTE(qtester @ 29.10.2009 11:35)
1. Add in template of email notification in AK macro of task name.
2. This events from Proactive Defense\ Registry guard module.
If you have turn it on by default it have rules to monitor: allow and report about all attempts to modify important system registry keys.
so if you plan to use this component better create appropriate rules for good applications
2. This events from Proactive Defense\ Registry guard module.
If you have turn it on by default it have rules to monitor: allow and report about all attempts to modify important system registry keys.
so if you plan to use this component better create appropriate rules for good applications
I sincerely apologize but I don't really understand what you're talking about aside from your reference to Registry Guard, which I do not have enabled.
Thanks.
QUOTE(Chris Thomas @ 4.11.2009 17:56)
I sincerely apologize but I don't really understand what you're talking about aside from your reference to Registry Guard, which I do not have enabled.
Thanks.
Thanks.
the notification what you receiving it is notification from Proactive defense \ registry guard component.
Are you sure what this component not enabled it on the DMYER-D510 and SCOY-D620 computers ?
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.