Jump to content
tstewart777

KAV quarantined a file and broke our finance server

Recommended Posts

Our CIO was trying to run a report from our finance server (he runs it from a shortcut directly off the server). For some reason KAV on his machine didn't want to let the app run (though it normally does for him and others). So I looked in his KAV install and it had flagged the file (an EXE) as quarantined and I tried to restore it. Somehow it deleted the file. Then we found it had deleted it from its folder on the server! instantly, no one could run a financial report. Fortunately I found an old install of the files from our system (FRX) on finance server and the EXE file was in there, thankfully same version as the vanished one. I copied it to original location and saved the day. Is this normal behavior for KAV client to nuke a file off a server that KAV is not running on? it could have been a huge problem if I didn't have a backup of that file.

Share this post


Link to post
Our CIO was trying to run a report from our finance server (he runs it from a shortcut directly off the server). For some reason KAV on his machine didn't want to let the app run (though it normally does for him and others). So I looked in his KAV install and it had flagged the file (an EXE) as quarantined and I tried to restore it. Somehow it deleted the file. Then we found it had deleted it from its folder on the server! instantly, no one could run a financial report. Fortunately I found an old install of the files from our system (FRX) on finance server and the EXE file was in there, thankfully same version as the vanished one. I copied it to original location and saved the day. Is this normal behavior for KAV client to nuke a file off a server that KAV is not running on? it could have been a huge problem if I didn't have a backup of that file.

 

 

Hi Tim - couple of things......if you don't add that file to exclusions/trusted processes, it will remove it again - at the next scheduled virus scan on the server. Look in the admin kit, under deleted/quarantined files and it should be there when cleaned. Add it as I stated before - and then restore it to it's original location.......make sure you add it to your server and workstations policies.......

 

Is Kaspersky installed on the Server?

 

Are you running Terminal Services?

Share this post


Link to post
Our CIO was trying to run a report from our finance server (he runs it from a shortcut directly off the server). For some reason KAV on his machine didn't want to let the app run (though it normally does for him and others). So I looked in his KAV install and it had flagged the file (an EXE) as quarantined and I tried to restore it. Somehow it deleted the file. Then we found it had deleted it from its folder on the server! instantly, no one could run a financial report. Fortunately I found an old install of the files from our system (FRX) on finance server and the EXE file was in there, thankfully same version as the vanished one. I copied it to original location and saved the day. Is this normal behavior for KAV client to nuke a file off a server that KAV is not running on? it could have been a huge problem if I didn't have a backup of that file.

 

 

no this is not normal behavior of kav, i think this is false positive of proactive defense caused by auto patch D ,

 

please try this solution

 

if does not work then disable the proactive defense component, also do not forget to add to the trusted zone as mentioned above

Share this post


Link to post
Fortunately I found an old install of the files from our system (FRX) on finance server and the EXE file was in there, thankfully same version as the vanished one. I copied it to original location and saved the day

 

Wow...you dont have real backup on this critical server ?

 

Also you should be able to find a backup of the quarantined file in Admin Kit.

Share this post


Link to post

The last response was snotty. No, we don't have an image level backup of that server, just the databases that live on it. Normally a program isn't deleting critical files off it. I was able to find the missing file from an old backup when we upgraded the server and I'm sure there is also a copy in the quarantine folder, I will look for that today. It was just very bad timing as the finance people were running reports for an audit. I was just surprised that KAV is that aggressive. I've added an exclusion to the rules for that file. Thanks.

 

Our CIO was trying to run a report from our finance server (he runs it from a shortcut directly off the server). For some reason KAV on his machine didn't want to let the app run (though it normally does for him and others). So I looked in his KAV install and it had flagged the file (an EXE) as quarantined and I tried to restore it. Somehow it deleted the file. Then we found it had deleted it from its folder on the server! instantly, no one could run a financial report. Fortunately I found an old install of the files from our system (FRX) on finance server and the EXE file was in there, thankfully same version as the vanished one. I copied it to original location and saved the day. Is this normal behavior for KAV client to nuke a file off a server that KAV is not running on? it could have been a huge problem if I didn't have a backup of that file.

 

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.