IPB
X   Site Message
(Message will auto close in 2 seconds)

Welcome Guest ( Log In | Register )

6 Pages V   1 2 3 > »   
Reply to this topicStart new topic
> HEUR:Trojan.Win32.Generic [Solved]
mihailsolovey
post 25.10.2013 19:41
Post #1


Newbie
*

Group: Members
Posts: 2
Joined: 25.10.2013




Hi. Today our Kaspersky detected a virus HEUR:Trojan.Win32.Generic in c:\Windows\System32\drivers\tcpip.sys. Kaspersky couldn't do anything with it and placed virus in quarantine. After reboot, pc network card doesn’t work. Please help! Virus has already attacked a lot of computers in the network. Please HELP!!!

This post has been edited by mihailsolovey: 25.10.2013 19:54
Go to the top of the page
 
+Quote Post
Ivan Sazhin
post 25.10.2013 19:42
Post #2


Technical Support Engineer
*************

Group: KL Russia
Posts: 5169
Joined: 10.09.2013
From: Moscow




Hello!
Please be informed that this is not a virus, it is a false positive.
Please DO NOT REBOOT affected machines.
We will keep you updated.


--------------------
Go to the top of the page
 
+Quote Post
mihailsolovey
post 25.10.2013 19:52
Post #3


Newbie
*

Group: Members
Posts: 2
Joined: 25.10.2013




QUOTE(Ivan Sazhin @ 25.10.2013 19:42) *
Hello!
Please be informed that this is not a virus, it is a false positive.
Please DO NOT REBOOT affected machines.
We will keep you updated.


Thank you for quick answer! I'll wait!
Go to the top of the page
 
+Quote Post
Ian Duncan
post 25.10.2013 19:59
Post #4


Newbie
*

Group: KL USA
Posts: 3
Joined: 13.02.2013




QUOTE(mihailsolovey @ 25.10.2013 10:41) *
Hi. Today our Kaspersky detected a virus HEUR:Trojan.Win32.Generic in c:\Windows\System32\drivers\tcpip.sys. Kaspersky couldn't do anything with it and placed virus in quarantine. After reboot, pc network card don’t work. Please help! Virus has already attacked a lot of computers in the network. Please HELP!!!


Hello,

I work for Kaspersky and I wanted to let you know that this is not a virus. Kaspersky has identified an issue and there is a workaround available. Also, the official fix will be released in an hour to an hour and a half.

Proposed workaround:
1) Create an exclusion for tcpip.sys for file AV
2) Disable “File antivirus”
3) Restore tcpip.sys from quarantine


If the TCPIP file was deleted, then you will need to restore the file locally after following steps 1-3 as listed above.
Go to the top of the page
 
+Quote Post
kfriday
post 25.10.2013 20:00
Post #5


Newbie
*

Group: Members
Posts: 2
Joined: 14.05.2013




The exact same thing happened to me. I wish I would have seen this forum first. I already restarted the computer. Out of 40 computers on our network, this is the only one that had this message pop up, so I figured it was legitimate.

After I saw this, I restored the file from quarantine and disabled Kaspersky and restarted the computer again. The network card is still not working. Any idea what I can do to fix this.?

The workstation is a Dell OptiPlex 790 running 32bit Windows 7 Professional.

Any help would be appreciated.

Thanks!
Go to the top of the page
 
+Quote Post
Ivan Sazhin
post 25.10.2013 20:07
Post #6


Technical Support Engineer
*************

Group: KL Russia
Posts: 5169
Joined: 10.09.2013
From: Moscow




PLEASE DO NOT REBOOT ANY AFFECTED COMPUTERS!

We will provide you with the new steps of the workaround/solution as soon as possible.
We are very sorry for the inconvenience.


--------------------
Go to the top of the page
 
+Quote Post
Ian Duncan
post 25.10.2013 20:11
Post #7


Newbie
*

Group: KL USA
Posts: 3
Joined: 13.02.2013




Hello,

Please be advised of the change to the steps that were posted earlier for this workaround.

Proposed workaround:
1) Create an exclusion for tcpip.sys for file AV
2) Disable “File antivirus”
3) Restore tcpip.sys from quarantine
4) Re-enable File AV, at this point all should be ok

If the TCPIP file was deleted, then you will need to restore the file locally after following steps 1-3 as listed above.

** Please only perform this on one test machine prior to performing this across the network.
Go to the top of the page
 
+Quote Post
glabrador
post 25.10.2013 20:19
Post #8


Advanced Member V
*******

Group: Members
Posts: 1144
Joined: 21.07.2008




What applications are affected by this? KAV6, KES8, KES10?
Go to the top of the page
 
+Quote Post
Ivan Sazhin
post 25.10.2013 20:22
Post #9


Technical Support Engineer
*************

Group: KL Russia
Posts: 5169
Joined: 10.09.2013
From: Moscow




QUOTE(glabrador @ 25.10.2013 20:19) *
What applications are affected by this? KAV6, KES8, KES10?

At the moment we have information only about KAV WKS6. Should you have any additional information, please provide it to us as soon as possible.
Thank you in advance.


--------------------
Go to the top of the page
 
+Quote Post
kfriday
post 25.10.2013 20:29
Post #10


Newbie
*

Group: Members
Posts: 2
Joined: 14.05.2013




QUOTE(Ian Duncan @ 25.10.2013 11:11) *
Hello,

Please be advised of the change to the steps that were posted earlier for this workaround.

Proposed workaround:
1) Create an exclusion for tcpip.sys for file AV
2) Disable “File antivirus”
3) Restore tcpip.sys from quarantine
4) Re-enable File AV, at this point all should be ok

If the TCPIP file was deleted, then you will need to restore the file locally after following steps 1-3 as listed above.

** Please only perform this on one test machine prior to performing this across the network.


Is this only a workaround, if you have not restarted your computer? I had restarted the computer before I saw this forum posted. I tried this workaround and it's still not working.
Go to the top of the page
 
+Quote Post
Ivan Sazhin
post 25.10.2013 20:32
Post #11


Technical Support Engineer
*************

Group: KL Russia
Posts: 5169
Joined: 10.09.2013
From: Moscow




QUOTE(kfriday @ 25.10.2013 20:29) *
Is this only a workaround, if you have not restarted your computer? I had restarted the computer before I saw this forum posted. I tried this workaround and it's still not working.


Hello!
We are currently working on a solution for rebooted machines.
We will keep you updated.


--------------------
Go to the top of the page
 
+Quote Post
glabrador
post 25.10.2013 20:35
Post #12


Advanced Member V
*******

Group: Members
Posts: 1144
Joined: 21.07.2008




QUOTE(kfriday @ 25.10.2013 11:29) *
Is this only a workaround, if you have not restarted your computer? I had restarted the computer before I saw this forum posted. I tried this workaround and it's still not working.

It's going to depend on the frequency of synchronizations you've set until the modified policy gets applied. The default is 15 min but you have the option to "Force synchronization".
Go to the top of the page
 
+Quote Post
Dellion
post 25.10.2013 20:39
Post #13


Advanced Member I
***

Group: Members
Posts: 184
Joined: 25.06.2012
From: Kaspersky Lab USA




QUOTE(glabrador @ 25.10.2013 11:35) *
It's going to depend on the frequency of synchronizations you've set until the modified policy gets applied. The default is 15 min but you have the option to "Force synchronization".


This does not apply to this issue.

This issue is the tcpip.sys getting removed which disables network connection abilities.

So if they rebooted the machine there will be NO way for an updated policy to be applied before the Kaspersky fix is released.

The above-mentioned workaround currently only works if they DO NOT reboot the machines once the issue occurs.


--------------------
Thanks,

Adam B
Systems Engineer
Kaspersky Lab
Go to the top of the page
 
+Quote Post
glabrador
post 25.10.2013 20:46
Post #14


Advanced Member V
*******

Group: Members
Posts: 1144
Joined: 21.07.2008




QUOTE(Dellion @ 25.10.2013 11:39) *
This does not apply to this issue.

This issue is the tcpip.sys getting removed which disables network connection abilities.

So if they rebooted the machine there will be NO way for an updated policy to be applied before the Kaspersky fix is released.

The above-mentioned workaround currently only works if they DO NOT reboot the machines once the issue occurs.

What I'm saying is if you create an exclusion for tcpip.sys in your policy it may take awhile for the policy to get distributed. So, if a client has not received the new policy, it will still detect tcpip.sys as a threat.
Go to the top of the page
 
+Quote Post
Nikolay Arinchev
post 25.10.2013 20:47
Post #15


Technical Support Specialist
**************

Group: KL Russia
Posts: 11983
Joined: 5.10.2009




Hi,

QUOTE
if you create an exclusion for tcpip.sys in your policy it may take awhile for the policy to get distributed

Actually, this is not correct. Policy applies immediately.


--------------------
In english: GSI report | AVZ report | KSC10 Traces | KES10 Traces | KSC9 Traces | KES8 Traces(RUS) | klnagchk log(RUS)

На русском: Отчет GSI | Лог AVZ | Трассировки KSC10 | Трассировки KES10 | Трассировки KSC9 |Трассировки KES8 | Отчет утилиты klnagchk

Подписаться на новости о корпоративных продуктах

Please evaluate support help by using "Rating" option!
Пожалуйста, оцените оказанную помощь, используя опцию "Rating" в названии топика!
Go to the top of the page
 
+Quote Post
Dellion
post 25.10.2013 20:49
Post #16


Advanced Member I
***

Group: Members
Posts: 184
Joined: 25.06.2012
From: Kaspersky Lab USA




QUOTE(glabrador @ 25.10.2013 11:46) *
What I'm saying is if you create an exclusion for tcpip.sys in your policy it may take awhile for the policy to get distributed. So, if a client has not received the new policy, it will still detect tcpip.sys as a threat.


Ah. My apologies. Your statement is correct.

I feel, however, that he was stating that the workaround in general didn't work... not just the policy enforcement. But I could be wrong (it has happened before).


--------------------
Thanks,

Adam B
Systems Engineer
Kaspersky Lab
Go to the top of the page
 
+Quote Post
glabrador
post 25.10.2013 20:58
Post #17


Advanced Member V
*******

Group: Members
Posts: 1144
Joined: 21.07.2008




QUOTE(Nikolay Arinchev @ 25.10.2013 11:47) *
Hi,
Actually, this is not correct. Policy applies immediately.

I stand corrected. Policy enforcement went pretty quickly but I don't know about immediately. smile.gif
Go to the top of the page
 
+Quote Post
Nikolay Arinchev
post 25.10.2013 21:03
Post #18


Technical Support Specialist
**************

Group: KL Russia
Posts: 11983
Joined: 5.10.2009




Well, it suppose to be instant, but it depends on number of PCs, network configuration etc.
To be honest, there is a possibility when policy will be applied during syncronization - it can happen when 1500 UDP is closed.
So please be awared of that fact.


--------------------
In english: GSI report | AVZ report | KSC10 Traces | KES10 Traces | KSC9 Traces | KES8 Traces(RUS) | klnagchk log(RUS)

На русском: Отчет GSI | Лог AVZ | Трассировки KSC10 | Трассировки KES10 | Трассировки KSC9 |Трассировки KES8 | Отчет утилиты klnagchk

Подписаться на новости о корпоративных продуктах

Please evaluate support help by using "Rating" option!
Пожалуйста, оцените оказанную помощь, используя опцию "Rating" в названии топика!
Go to the top of the page
 
+Quote Post
Kris10
post 25.10.2013 21:18
Post #19


Newbie
*

Group: Members
Posts: 5
Joined: 7.01.2012




I'm struggling with this too.
A few PCs that have been rebooted.
Exclusion has now been added. Networking is still not working.
Go to the top of the page
 
+Quote Post
Kris10
post 25.10.2013 21:23
Post #20


Newbie
*

Group: Members
Posts: 5
Joined: 7.01.2012




Kav support just suggested I try a system restore. I'll come back and let you know if it worked.


QUOTE(Kris10 @ 25.10.2013 12:18) *
I'm struggling with this too.
A few PCs that have been rebooted.
Exclusion has now been added. Networking is still not working.

Go to the top of the page
 
+Quote Post

6 Pages V   1 2 3 > » 
Reply to this topicStart new topic

 



Lo-Fi Version Time is now: 23.06.2017 21:04