My Assistant
![]() ![]() |
25.10.2013 19:41
Post
#1
|
|
|
Newbie ![]() Group: Members Posts: 2 Joined: 25.10.2013 |
Hi. Today our Kaspersky detected a virus HEUR:Trojan.Win32.Generic in c:\Windows\System32\drivers\tcpip.sys. Kaspersky couldn't do anything with it and placed virus in quarantine. After reboot, pc network card doesn’t work. Please help! Virus has already attacked a lot of computers in the network. Please HELP!!!
This post has been edited by mihailsolovey: 25.10.2013 19:54 |
|
|
|
25.10.2013 19:42
Post
#2
|
|
|
Technical Support Engineer ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Group: KL Russia Posts: 5169 Joined: 10.09.2013 From: Moscow |
Hello!
Please be informed that this is not a virus, it is a false positive. Please DO NOT REBOOT affected machines. We will keep you updated. -------------------- In english: GSI report | AVZ report | KSC10 Traces | KES10 Traces | KSC9 Traces | KES8 Traces(RUS) | klnagchk log(RUS)
На русском: Отчет GSI | Лог AVZ | Трассировки KSC10 | Трассировки KES10 | Трассировки KSC9 |Трассировки KES8 | Отчет утилиты klnagchk |
|
|
|
25.10.2013 19:52
Post
#3
|
|
|
Newbie ![]() Group: Members Posts: 2 Joined: 25.10.2013 |
|
|
|
|
25.10.2013 19:59
Post
#4
|
|
|
Newbie ![]() Group: KL USA Posts: 3 Joined: 13.02.2013 |
Hi. Today our Kaspersky detected a virus HEUR:Trojan.Win32.Generic in c:\Windows\System32\drivers\tcpip.sys. Kaspersky couldn't do anything with it and placed virus in quarantine. After reboot, pc network card don’t work. Please help! Virus has already attacked a lot of computers in the network. Please HELP!!! Hello, I work for Kaspersky and I wanted to let you know that this is not a virus. Kaspersky has identified an issue and there is a workaround available. Also, the official fix will be released in an hour to an hour and a half. Proposed workaround: 1) Create an exclusion for tcpip.sys for file AV 2) Disable “File antivirus” 3) Restore tcpip.sys from quarantine If the TCPIP file was deleted, then you will need to restore the file locally after following steps 1-3 as listed above. |
|
|
|
25.10.2013 20:00
Post
#5
|
|
|
Newbie ![]() Group: Members Posts: 2 Joined: 14.05.2013 |
The exact same thing happened to me. I wish I would have seen this forum first. I already restarted the computer. Out of 40 computers on our network, this is the only one that had this message pop up, so I figured it was legitimate.
After I saw this, I restored the file from quarantine and disabled Kaspersky and restarted the computer again. The network card is still not working. Any idea what I can do to fix this.? The workstation is a Dell OptiPlex 790 running 32bit Windows 7 Professional. Any help would be appreciated. Thanks! |
|
|
|
25.10.2013 20:07
Post
#6
|
|
|
Technical Support Engineer ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Group: KL Russia Posts: 5169 Joined: 10.09.2013 From: Moscow |
PLEASE DO NOT REBOOT ANY AFFECTED COMPUTERS!
We will provide you with the new steps of the workaround/solution as soon as possible. We are very sorry for the inconvenience. -------------------- In english: GSI report | AVZ report | KSC10 Traces | KES10 Traces | KSC9 Traces | KES8 Traces(RUS) | klnagchk log(RUS)
На русском: Отчет GSI | Лог AVZ | Трассировки KSC10 | Трассировки KES10 | Трассировки KSC9 |Трассировки KES8 | Отчет утилиты klnagchk |
|
|
|
25.10.2013 20:11
Post
#7
|
|
|
Newbie ![]() Group: KL USA Posts: 3 Joined: 13.02.2013 |
Hello,
Please be advised of the change to the steps that were posted earlier for this workaround. Proposed workaround: 1) Create an exclusion for tcpip.sys for file AV 2) Disable “File antivirus” 3) Restore tcpip.sys from quarantine 4) Re-enable File AV, at this point all should be ok If the TCPIP file was deleted, then you will need to restore the file locally after following steps 1-3 as listed above. ** Please only perform this on one test machine prior to performing this across the network. |
|
|
|
25.10.2013 20:19
Post
#8
|
|
|
Advanced Member V ![]() ![]() ![]() ![]() ![]() ![]() ![]() Group: Members Posts: 1144 Joined: 21.07.2008 |
What applications are affected by this? KAV6, KES8, KES10?
|
|
|
|
25.10.2013 20:22
Post
#9
|
|
|
Technical Support Engineer ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Group: KL Russia Posts: 5169 Joined: 10.09.2013 From: Moscow |
What applications are affected by this? KAV6, KES8, KES10? At the moment we have information only about KAV WKS6. Should you have any additional information, please provide it to us as soon as possible. Thank you in advance. -------------------- In english: GSI report | AVZ report | KSC10 Traces | KES10 Traces | KSC9 Traces | KES8 Traces(RUS) | klnagchk log(RUS)
На русском: Отчет GSI | Лог AVZ | Трассировки KSC10 | Трассировки KES10 | Трассировки KSC9 |Трассировки KES8 | Отчет утилиты klnagchk |
|
|
|
25.10.2013 20:29
Post
#10
|
|
|
Newbie ![]() Group: Members Posts: 2 Joined: 14.05.2013 |
Hello, Please be advised of the change to the steps that were posted earlier for this workaround. Proposed workaround: 1) Create an exclusion for tcpip.sys for file AV 2) Disable “File antivirus” 3) Restore tcpip.sys from quarantine 4) Re-enable File AV, at this point all should be ok If the TCPIP file was deleted, then you will need to restore the file locally after following steps 1-3 as listed above. ** Please only perform this on one test machine prior to performing this across the network. Is this only a workaround, if you have not restarted your computer? I had restarted the computer before I saw this forum posted. I tried this workaround and it's still not working. |
|
|
|
25.10.2013 20:32
Post
#11
|
|
|
Technical Support Engineer ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Group: KL Russia Posts: 5169 Joined: 10.09.2013 From: Moscow |
Is this only a workaround, if you have not restarted your computer? I had restarted the computer before I saw this forum posted. I tried this workaround and it's still not working. Hello! We are currently working on a solution for rebooted machines. We will keep you updated. -------------------- In english: GSI report | AVZ report | KSC10 Traces | KES10 Traces | KSC9 Traces | KES8 Traces(RUS) | klnagchk log(RUS)
На русском: Отчет GSI | Лог AVZ | Трассировки KSC10 | Трассировки KES10 | Трассировки KSC9 |Трассировки KES8 | Отчет утилиты klnagchk |
|
|
|
25.10.2013 20:35
Post
#12
|
|
|
Advanced Member V ![]() ![]() ![]() ![]() ![]() ![]() ![]() Group: Members Posts: 1144 Joined: 21.07.2008 |
Is this only a workaround, if you have not restarted your computer? I had restarted the computer before I saw this forum posted. I tried this workaround and it's still not working. It's going to depend on the frequency of synchronizations you've set until the modified policy gets applied. The default is 15 min but you have the option to "Force synchronization". |
|
|
|
25.10.2013 20:39
Post
#13
|
|
![]() Advanced Member I ![]() ![]() ![]() Group: Members Posts: 184 Joined: 25.06.2012 From: Kaspersky Lab USA |
It's going to depend on the frequency of synchronizations you've set until the modified policy gets applied. The default is 15 min but you have the option to "Force synchronization". This does not apply to this issue. This issue is the tcpip.sys getting removed which disables network connection abilities. So if they rebooted the machine there will be NO way for an updated policy to be applied before the Kaspersky fix is released. The above-mentioned workaround currently only works if they DO NOT reboot the machines once the issue occurs. -------------------- Thanks,
Adam B Systems Engineer Kaspersky Lab |
|
|
|
25.10.2013 20:46
Post
#14
|
|
|
Advanced Member V ![]() ![]() ![]() ![]() ![]() ![]() ![]() Group: Members Posts: 1144 Joined: 21.07.2008 |
This does not apply to this issue. This issue is the tcpip.sys getting removed which disables network connection abilities. So if they rebooted the machine there will be NO way for an updated policy to be applied before the Kaspersky fix is released. The above-mentioned workaround currently only works if they DO NOT reboot the machines once the issue occurs. What I'm saying is if you create an exclusion for tcpip.sys in your policy it may take awhile for the policy to get distributed. So, if a client has not received the new policy, it will still detect tcpip.sys as a threat. |
|
|
|
25.10.2013 20:47
Post
#15
|
|
![]() Technical Support Specialist ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Group: KL Russia Posts: 11983 Joined: 5.10.2009 |
Hi,
QUOTE if you create an exclusion for tcpip.sys in your policy it may take awhile for the policy to get distributed Actually, this is not correct. Policy applies immediately. -------------------- In english: GSI report | AVZ report | KSC10 Traces | KES10 Traces | KSC9 Traces | KES8 Traces(RUS) | klnagchk log(RUS)
На русском: Отчет GSI | Лог AVZ | Трассировки KSC10 | Трассировки KES10 | Трассировки KSC9 |Трассировки KES8 | Отчет утилиты klnagchk Подписаться на новости о корпоративных продуктах Please evaluate support help by using "Rating" option! Пожалуйста, оцените оказанную помощь, используя опцию "Rating" в названии топика! |
|
|
|
25.10.2013 20:49
Post
#16
|
|
![]() Advanced Member I ![]() ![]() ![]() Group: Members Posts: 184 Joined: 25.06.2012 From: Kaspersky Lab USA |
What I'm saying is if you create an exclusion for tcpip.sys in your policy it may take awhile for the policy to get distributed. So, if a client has not received the new policy, it will still detect tcpip.sys as a threat. Ah. My apologies. Your statement is correct. I feel, however, that he was stating that the workaround in general didn't work... not just the policy enforcement. But I could be wrong (it has happened before). -------------------- Thanks,
Adam B Systems Engineer Kaspersky Lab |
|
|
|
25.10.2013 20:58
Post
#17
|
|
|
Advanced Member V ![]() ![]() ![]() ![]() ![]() ![]() ![]() Group: Members Posts: 1144 Joined: 21.07.2008 |
|
|
|
|
25.10.2013 21:03
Post
#18
|
|
![]() Technical Support Specialist ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() Group: KL Russia Posts: 11983 Joined: 5.10.2009 |
Well, it suppose to be instant, but it depends on number of PCs, network configuration etc.
To be honest, there is a possibility when policy will be applied during syncronization - it can happen when 1500 UDP is closed. So please be awared of that fact. -------------------- In english: GSI report | AVZ report | KSC10 Traces | KES10 Traces | KSC9 Traces | KES8 Traces(RUS) | klnagchk log(RUS)
На русском: Отчет GSI | Лог AVZ | Трассировки KSC10 | Трассировки KES10 | Трассировки KSC9 |Трассировки KES8 | Отчет утилиты klnagchk Подписаться на новости о корпоративных продуктах Please evaluate support help by using "Rating" option! Пожалуйста, оцените оказанную помощь, используя опцию "Rating" в названии топика! |
|
|
|
25.10.2013 21:18
Post
#19
|
|
|
Newbie ![]() Group: Members Posts: 5 Joined: 7.01.2012 |
I'm struggling with this too.
A few PCs that have been rebooted. Exclusion has now been added. Networking is still not working. |
|
|
|
25.10.2013 21:23
Post
#20
|
|
|
Newbie ![]() Group: Members Posts: 5 Joined: 7.01.2012 |
|
|
|
|
![]() ![]() |
| Lo-Fi Version | Time is now: 23.06.2017 21:04 |