Jump to content
george.h

KES 8.1.0.1042 Unprocessed Objects (again) [In progress]

Recommended Posts

Every so often this thorn keeps cropping up.

 

We've recently seen a number of dodgy email come in with suspect attachments - the usual xxxx.ZIP containing what appears to be a PDF file but is actually an executable. First of all of the three incidents so far only the second was flagged by Kaspersky (taking your eye off the ball?). The others were contained/prevented by staff diligence. The actual threat when eventually detected (after the next 12 hourly update) was:

 

Event Threats have been detected happened on computer 66DLPZ1 in the domain COLOURHOLOGRAPH on 15 May 2015 6:43:33AM (GMT+00:00)

Event type: Threats have been detected

Application\Name: OUTLOOK.EXE

Application\Path: C:\Program Files (x86)\Microsoft Office\OFFICE11\

Application\Process ID: 4028

Application\Options: "C:\Program Files (x86)\Microsoft Office\OFFICE11\OUTLOOK.EXE"

Component: Mail Anti-Virus

Result\Description: Detected

Result\Type: Trojan program

Result\Name: Trojan-Downloader.Win32.Upatre.mdp

Result\Threat: High

Result\Precision: Exactly

Object: [From:David Fuentes][subject:Document for May 5][Time:2015/05/06 08:32:39]//may.zip//jnzic.exe

Object\Type: Email attachment

Object\Path: C:\Program Files (x86)\Microsoft Office\OFFICE11\OUTLOOK.EXE

Object\Name: jnzic.exe

 

The particular even above was from the third incident when KES (8.1.0.1024) eventually flagged it the next day.

 

The problem is this. I now have two machines which are showing the dreaded "Unprocessed Objects". I've gone onto the workstations themselves, cleared out the unprocessed and any quarantined objects. I've ensured the emails containing the attachments have been deleted AND deleted from the Deleted Items folder. However they STILL (over 24 hours later) are still showing "unprocessed objects" in KSC (9.3.75) - Kaspersky Network Agent is also 9.3.75.

 

All workstations are running Windows 7 Pro 64-bit.

 

So HOW THE HELL do I get rid of the "unprocessed objects" warning for these machines in KSC, without having to faff around a lot? This to me has NEVER been adequately addressed by Kaspersky and would appear to be just as bad in KES 10, judging by the posts on the forum.

 

Are Kaspersky EVER going to fix this properly and, even better, allow it to be cleared from KSC without having to touch individual workstations.

 

Our licenses are coming up for renewal in August so the answer to this is going to determine if we renew (and upgrade to KES 10) or go elsewhere.

Edited by Evgeny Borshchev

Share this post


Link to post
Every so often this thorn keeps cropping up.

 

We've recently seen a number of dodgy email come in with suspect attachments - the usual xxxx.ZIP containing what appears to be a PDF file but is actually an executable. First of all of the three incidents so far only the second was flagged by Kaspersky (taking your eye off the ball?). The others were contained/prevented by staff diligence. The actual threat when eventually detected (after the next 12 hourly update) was:

 

Event Threats have been detected happened on computer 66DLPZ1 in the domain COLOURHOLOGRAPH on 15 May 2015 6:43:33AM (GMT+00:00)

Event type: Threats have been detected

Application\Name: OUTLOOK.EXE

Application\Path: C:\Program Files (x86)\Microsoft Office\OFFICE11\

Application\Process ID: 4028

Application\Options: "C:\Program Files (x86)\Microsoft Office\OFFICE11\OUTLOOK.EXE"

Component: Mail Anti-Virus

Result\Description: Detected

Result\Type: Trojan program

Result\Name: Trojan-Downloader.Win32.Upatre.mdp

Result\Threat: High

Result\Precision: Exactly

Object: [From:David Fuentes][subject:Document for May 5][Time:2015/05/06 08:32:39]//may.zip//jnzic.exe

Object\Type: Email attachment

Object\Path: C:\Program Files (x86)\Microsoft Office\OFFICE11\OUTLOOK.EXE

Object\Name: jnzic.exe

 

The particular even above was from the third incident when KES (8.1.0.1024) eventually flagged it the next day.

 

The problem is this. I now have two machines which are showing the dreaded "Unprocessed Objects". I've gone onto the workstations themselves, cleared out the unprocessed and any quarantined objects. I've ensured the emails containing the attachments have been deleted AND deleted from the Deleted Items folder. However they STILL (over 24 hours later) are still showing "unprocessed objects" in KSC (9.3.75) - Kaspersky Network Agent is also 9.3.75.

 

All workstations are running Windows 7 Pro 64-bit.

 

So HOW THE HELL do I get rid of the "unprocessed objects" warning for these machines in KSC, without having to faff around a lot? This to me has NEVER been adequately addressed by Kaspersky and would appear to be just as bad in KES 10, judging by the posts on the forum.

 

Are Kaspersky EVER going to fix this properly and, even better, allow it to be cleared from KSC without having to touch individual workstations.

 

Our licenses are coming up for renewal in August so the answer to this is going to determine if we renew (and upgrade to KES 10) or go elsewhere.

 

 

Hello.

 

Could You please specify which exact versions of the products are You using?

 

There are similar topics in which solutions are provided, please check them:

http://forum.kaspersky.com/index.php?showtopic=228522

 

http://forum.kaspersky.com/index.php?showtopic=236721

 

 

 

In general similar issues were fixed in an actual version of KES 10. Do You have a possibility to install actual versions?

 

Thank You.

Share this post


Link to post
Hello.

 

Could You please specify which exact versions of the products are You using?

 

There are similar topics in which solutions are provided, please check them:

http://forum.kaspersky.com/index.php?showtopic=228522

 

http://forum.kaspersky.com/index.php?showtopic=236721

In general similar issues were fixed in an actual version of KES 10. Do You have a possibility to install actual versions?

 

Thank You.

 

Hi,

 

As per my original post, KES is 8.1.0.1042 (apologies for typo in original post), KSC is 9.3.75 as is Kaspersky Network Agent. We have a major server upgrade in the pipeline so I will not be looking to upgrade to KES 10 until after that - if at all. I'll take a look at the two links and get back to you.

 

Regards

George

 

P.S. "actual versions" ???

 

EDIT: I've just checked out the two links you kindly posted. However all they do is confirm that this is a problem which has NEVER been fixed. There are no proper solutions in either. 8.1.0.1042 is already beyond CF2 and PF4 was installed. STILL doesn't fix it. Also I get the distinct impression that it is still an issue in KES 10.

Edited by george.h

Share this post


Link to post
Hi,

 

As per my original post, KES is 8.1.0.1042 (apologies for typo in original post), KSC is 9.3.75 as is Kaspersky Network Agent. We have a major server upgrade in the pipeline so I will not be looking to upgrade to KES 10 until after that - if at all. I'll take a look at the two links and get back to you.

 

Regards

George

 

P.S. "actual versions" ???

 

EDIT: I've just checked out the two links you kindly posted. However all they do is confirm that this is a problem which has NEVER been fixed. There are no proper solutions in either. 8.1.0.1042 is already beyond CF2 and PF4 was installed. STILL doesn't fix it. Also I get the distinct impression that it is still an issue in KES 10.

 

 

Hello.

 

Actually in KES 10 this kind of issue is absent. Probably it may be a good workaround for You.

 

Thanks.

 

 

Share this post


Link to post
Hello.

 

Actually in KES 10 this kind of issue is absent. Probably it may be a good workaround for You.

 

Thanks.

 

Hi,

 

I'll look into this but it would be far from an acceptable solution. Unless I have misread things I'll need to update all my client PCs to KES 10 and update my Kaspersky server to KSC 10 as well. If correct then that is hardly a "work-around". Certainly not the sort of task I'd want to do when about to start an Office 365 migration and then migrating our main servers to 2012.

 

Regards

George

 

P.S. Off-topic a bit but when creating/editing a post (IE 11) why does the text I enter not "auto-wrap". It is rather a pain to have to scroll all the way to the end of a very long line with not horizontal scroll bar.

Edited by george.h

Share this post


Link to post
Hi,

 

I'll look into this but it would be far from an acceptable solution. Unless I have misread things I'll need to update all my client PCs to KES 10 and update my Kaspersky server to KSC 10 as well. If correct then that is hardly a "work-around". Certainly not the sort of task I'd want to do when about to start an Office 365 migration and then migrating our main servers to 2012.

 

Regards

George

 

P.S. Off-topic a bit but when creating/editing a post (IE 11) why does the text I enter not "auto-wrap". It is rather a pain to have to scroll all the way to the end of a very long line with not horizontal scroll bar.

 

We will inform the specialists working with the forum about your remark.

 

Thank You.

Share this post


Link to post
We will inform the specialists working with the forum about your remark.

 

Thank You.

 

Interesting development over the weekend. After over 48 hours one of the two machines has went from showing amber and "Unprocessed Objects" in KSC to green. The other is still showing an amber warning and "There are unprocessed objects". This is particularly interesting as nothing has changed on either of the two PCs.

 

Share this post


Link to post
Interesting development over the weekend. After over 48 hours one of the two machines has went from showing amber and "Unprocessed Objects" in KSC to green. The other is still showing an amber warning and "There are unprocessed objects". This is particularly interesting as nothing has changed on either of the two PCs.

 

Hi,

 

Does it help to enable do not disconnect from administration server option in the host's properties?

 

Thank You!

Share this post


Link to post
Hi,

 

Does it help to enable do not disconnect from administration server option in the host's properties?

 

Thank You!

 

Thanks I'll give that a try and see what happens. I did double check on the problem PC if there was any trace of the problem objects but no there isn't. On the client the infected emails had been deleted (and from the deleted items folder), the event logs had been cleared and showed no indication of unprocessed objects and the there was nothing showing on the client under either unprocessed or quarantined objects. I'll force a restart on the PC later this evening (when the user has gone home).

Share this post


Link to post
Thanks I'll give that a try and see what happens. I did double check on the problem PC if there was any trace of the problem objects but no there isn't. On the client the infected emails had been deleted (and from the deleted items folder), the event logs had been cleared and showed no indication of unprocessed objects and the there was nothing showing on the client under either unprocessed or quarantined objects. I'll force a restart on the PC later this evening (when the user has gone home).

 

 

Hello.

 

Please inform us of the result.

 

Thanks.

 

 

Share this post


Link to post
Hello.

 

Please inform us of the result.

 

Thanks.

 

Hi,

Leaving "do not disconnect from server" ticked for this PC in KSC had not made any difference after over 12 hours. It has now cleared and went back to green but that was after:

 

1. Rebooting the client PC

2. Rebooting the admin server (a Windows 2003 server box!)

3. Waiting another 12 hours!

 

This is far from an acceptable behavior for this. Clearing the unprocessed objects from the client should result in it showing as cleared in KSC at the next contact with the admin server, not after over 48 hours (in the case of on of the two PCs) and over 12 hours after rebooting both the PC AND the admin server (the second PC). This is an issue which has been raised multiple times over the life of KES 8/KSC 9 and has never either been properly explaind (in terms of how has happened or even how it is meant to work) nor fixed.

 

Luckily I only have a couple of server and a dozen or so PCs.... God help anyone who gets this problem (as they have in the past) and have hundreds or thousands of PCs.

 

Edited by george.h

Share this post


Link to post

Hi,

 

Fortunately, more recent versions do not have such a problem.

 

So, it`s a good idea to keep your antivirus up-to-date.

 

Thank you!

Share this post


Link to post

×
×
  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.