We have KAV Workstation v6.x, and a Windows 2003 Domain.
On a client computer (Windows XP SP2), we are suddenly getting a possible virus notification, hundreds of them.
It began with a:
Event Detection of possibly infected object happened on computer COMPUTERNAME in the domain DOMAIN at Tue Feb 19 07:58:52 2008 Process C:\WINDOWS\System32\svchost.exe (PID: 1400): suspicious action. Attempt to create list of modules executed during system startup (key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Transports\Decoupled\Server, value CreationTime, data 20080219125832.203000+000).
Event Detection of possibly infected object happened on computer COMPUTERNAME in the domain DOMAIN at Tue Feb 19 07:59:03 2008 Process C:\WINDOWS\system32\winlogon.exe (PID: 956): suspicious action. Attempt to modify list of modules executed during system startup (key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}, value LastPolicyTime, data 0x00e1cd8a (14798218)).
Event Detection of possibly infected object happened on computer COMPUTERNAME in the domain DOMAIN at Tue Feb 19 08:07:06 2008 Process C:\WINDOWS\System32\svchost.exe (PID: 1400): suspicious action. Attempt to modify list of modules executed during system startup (key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PCHealth\PchSvc, value DataCollection, data 20080219080706.000000-000).
Event Detection of possibly infected object happened on computer COMPUTERNAME in the domain DOMAIN at Tue Feb 19 15:59:45 2008 Process C:\WINDOWS\System32\svchost.exe (PID: 1404): suspicious action. Attempt to modify list of modules executed during system startup (key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center, value FirewallDisableNotify, data 0x00000001 (1)).
and the list continues...
The next day we got more, as:
Event Detection of possibly infected object happened on computer COMPUTERNAME in the domain DOMAIN at Wed Feb 20 11:14:36 2008 Process C:\WINDOWS\system32\ie4uinit.exe (PID: 3088): suspicious action. Attempt to create Microsoft Internet Explorer settings (key HKEY_USERS\S-1-5-21-3118971187-510172217-1756445218-2659\Software\Microsoft\Internet Explorer\Main, value Local Page, data C:\WINDOWS\system32\blank.htm).
Event Detection of possibly infected object happened on computer COMPUTERNAME in the domain DOMAIN at Wed Feb 20 11:14:42 2008 Process C:\WINDOWS\system32\regsvr32.exe (PID: 3824): suspicious action. Attempt to modify list of modules executed during system startup (key HKEY_USERS\S-1-5-21-3118971187-510172217-1756445218-2659\Control Panel\Desktop, value SCRNSAVE.EXE, data C:\WINDOWS\System32\logon.scr).
etc...
It seems to me like a real virus, but what can I do now?
Full Version: Possible virus
Hi Mate,
We have had this for ages, have not got around to working out what to do with the 5 million emails we get.
By looking at yours which are similar to mine, if your on a domain its just AD group policy being applied at logon. After all group policy is just registry changes.
Let me know if you find out how to allow these as i dont fancy turning off potential virus email notifications, but on an average day we get 10,000 of these.
regards,
Torn
We have had this for ages, have not got around to working out what to do with the 5 million emails we get.
By looking at yours which are similar to mine, if your on a domain its just AD group policy being applied at logon. After all group policy is just registry changes.
Let me know if you find out how to allow these as i dont fancy turning off potential virus email notifications, but on an average day we get 10,000 of these.
regards,
Torn
But I do not understand why it is suddenly happening.
We have our domain policies for more than two years, we have not changed domain policies for months, we have kav workstation installed for months, we have not changed anything, and suddenly we got these possible virus notifications. If it is normal domain policy activity, why we didn't get these notifications before?
We have our domain policies for more than two years, we have not changed domain policies for months, we have kav workstation installed for months, we have not changed anything, and suddenly we got these possible virus notifications. If it is normal domain policy activity, why we didn't get these notifications before?
QUOTE(bbbsoporte @ 22.02.2008 02:37) 
But I do not understand why it is suddenly happening.
We have our domain policies for more than two years, we have not changed domain policies for months, we have kav workstation installed for months, we have not changed anything, and suddenly we got these possible virus notifications. If it is normal domain policy activity, why we didn't get these notifications before?
We have our domain policies for more than two years, we have not changed domain policies for months, we have kav workstation installed for months, we have not changed anything, and suddenly we got these possible virus notifications. If it is normal domain policy activity, why we didn't get these notifications before?
Sorry I understand now, check the KAV policy applied to this computer in admin kit, you will always get these emails if you have active directory group policy, proactive defense enabled (application activity analyser enabled with "suspicious system activity" ticked) and in your events tab of the policy have the tick box selected to send email on detection of possibly infected.
Also check the pc itself and see if these are set.
We have the above configuration and get these notifications for all (80) workstations.
Thanks, tornado4.
But it is not useful to have hundreds of notifications that are normal. There are hundreds and thousands of them. Is there a way to filter these normal behaviors? It looks that this is a "all or nothing" configuration. Having them all is the same as nothing because nobody will check that huge amount of notifications.
But it is not useful to have hundreds of notifications that are normal. There are hundreds and thousands of them. Is there a way to filter these normal behaviors? It looks that this is a "all or nothing" configuration. Having them all is the same as nothing because nobody will check that huge amount of notifications.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.