Showing results for 
Search instead for 
Did you mean: 

Virus with no Action

I have in "Threat Event Log Details":

Threat Target File Path:C:\Program Files\Quest Software\Toad for Oracle\toad.exe
Event Category:Malware
Event ID:1059
Threat Severity:Alert
Threat Name:_
Threat Type:Virus
Action Taken:None

If VSE detect file as Virus,  why  "action taken" is none?

If this file is not virus, why it alert?

on 12/30/10 4:45:06 AM CST
3 Replies
Level 15
Report Inappropriate Content
Message 2 of 4

Re: Virus with no Action

Isn't Event ID 1059 a scan timed out event?

From EPO (4.0) event Filtering screen:-

1057: Unable to move infected file to quarantine. (High)
1059: Scan Timed Out (Medium)
1060: Boot sector virus was cleaned (Medium)
1061: Error while cleaning boot sector virus (High)

Re: Virus with no Action


But, if it is only "timed out", why it is called "Virus"?

Level 15
Report Inappropriate Content
Message 4 of 4

Re: Virus with no Action

But, if it is only "timed out", why it is called "Virus"?

That has been a long standing nuisance behavior in the product. I think we have it taken care of in VSE 8.8, though I'm yet to see how they are being labeled.

The original school of thought was, "This is a file we could not scan within the specified time. We do not know if it's clean or infected, therefore we'll categorize it as virus to fail on the side of caution, and allow the user access to the file". At which point, it was up to the administrator to inspect the files (in response to the alerts) and perhaps invoke On-Demand scans on them if warranted, or, as I find most people do... ignore them .

Realistically, I would not be concerned with timeouts either - unless, they are occurring frequently, then they need to be understood - and the scanner configuration revised.

Indeed, taking advantage of a scanner's "timeout" threshold is something malware writers could exploit to make bad things happen. Just be mindful that On-Demand scans have no timeout threshold, so this is the recommended way to ensure everything gets scanned in your environment.

I can foresee a product enhancement request saying to provide a feature that denies access to files when a timeout occurs... in the interest of security, I like that idea, but it will be troublesome for You, the customer, to then figure out how to handle those files.

I can also foresee a product enhancement request that says, "When a timeout occurs, automatically initiate an ODS against that file _before_ allow user access to it". I like this one too.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee