cancel
Showing results for 
Search instead for 
Did you mean: 

Exploit-ObscuredHtml False Alarm

Hello,

I am using Microsoft SQL Server 2005. From within the Management Studio, when I execute SQL code whose output has HTML tags in it, I receive the following virus notification from McAfee AntiVirus Enterprise 8.5.0i:

Message = All hands on deck!!! VirusScan Alert!!!!
Date and Time = 2008-01-03 14:01:15
Name = C:\Documents and Settings\Administrator\Local Settings\Temp\tmp4B5.tmp
Detected As = Exploit-ObscuredHtml
State = Deleted

And I get the following error in the Management Studio:
An error occurred while executing batch. Error message is: Invalid calling sequence: file stream must be initialized first.

I believe this to be a false alarm because I can faithfully reproduce it and by changing the output of the SQL statement that I am executing to not put out HTML tags, I can prevent this trojan virus error from occurring. However, I need my SQL code to output HTML, so it is not an option to strip the HTML tags from the output.

I am running with the latest patches and updates.

Regards,

Mike
5 Replies
Jubo
Level 9
Report Inappropriate Content
Message 2 of 6

RE: Exploit-ObscuredHtml False Alarm

And this happens with which DAT file? Right click red/blue VShield in systray and "About VirusScan..."

There was an issue with DAT file 5197, as described here: http://community.mcafee.com/showthread.php?t=217668, but you still have it?

RE: Exploit-ObscuredHtml False Alarm

Thanks for replying. I am running DAT version 5199.0000 dated January 3, 2008. The scan engine version is 5200.2160.
D-Fens
Level 7
Report Inappropriate Content
Message 4 of 6

RE: Exploit-ObscuredHtml False Alarm

with the news DATs the false-positive should be corrected.
if not, submit a sample to https://www.webimmune.net/default.asp

RE: Exploit-ObscuredHtml False Alarm

Thanks, D-Fens. I will submit some information as soon as I get a chance.

Exploit-ObscuredHtml False Alarm

We have also received this error, using 8.5i and DAT 5229. We have been able to duplicate the error many times.

Originally, this was detected with 8.0, scan engine 5200 DAT 5228.