3 Replies Latest reply on Dec 31, 2010 9:23 AM by wwarren

    Virus with no Action

      I have in "Threat Event Log Details":

       

      Threat Target File Path:C:\Program Files\Quest Software\Toad for Oracle\toad.exe
      Event Category:Malware
      Event ID:1059
      Threat Severity:Alert
      Threat Name:_
      Threat Type:Virus
      Action Taken:None

       

      If VSE detect file as Virus,  why  "action taken" is none?

      If this file is not virus, why it alert?

       

       

      on 12/30/10 4:45:06 AM CST
        • 1. Re: Virus with no Action
          Tristan

          Isn't Event ID 1059 a scan timed out event?

           

          From EPO (4.0) event Filtering screen:-

           

          1057: Unable to move infected file to quarantine. (High)
          1059: Scan Timed Out (Medium)
          1060: Boot sector virus was cleaned (Medium)
          1061: Error while cleaning boot sector virus (High)

          1 of 1 people found this helpful
          • 2. Re: Virus with no Action

            Thanks.

            But, if it is only "timed out", why it is called "Virus"?

            • 3. Re: Virus with no Action
              wwarren

               

              But, if it is only "timed out", why it is called "Virus"?


              That has been a long standing nuisance behavior in the product. I think we have it taken care of in VSE 8.8, though I'm yet to see how they are being labeled.

              The original school of thought was, "This is a file we could not scan within the specified time. We do not know if it's clean or infected, therefore we'll categorize it as virus to fail on the side of caution, and allow the user access to the file". At which point, it was up to the administrator to inspect the files (in response to the alerts) and perhaps invoke On-Demand scans on them if warranted, or, as I find most people do... ignore them .

               

              Realistically, I would not be concerned with timeouts either - unless, they are occurring frequently, then they need to be understood - and the scanner configuration revised.

              Indeed, taking advantage of a scanner's "timeout" threshold is something malware writers could exploit to make bad things happen. Just be mindful that On-Demand scans have no timeout threshold, so this is the recommended way to ensure everything gets scanned in your environment.

               

              I can foresee a product enhancement request saying to provide a feature that denies access to files when a timeout occurs... in the interest of security, I like that idea, but it will be troublesome for You, the customer, to then figure out how to handle those files.

              I can also foresee a product enhancement request that says, "When a timeout occurs, automatically initiate an ODS against that file _before_ allow user access to it". I like this one too.