This content has been marked as final. Show 11 replies
Since it's only is in the "temp" folder and temp file(s), what happens when you empty the temp folder?
I would imagine, without a file, no detection would take place. It is detecting and removing (deleting) with not having any other detections. We currently have many systems detecting the same "type" of file in the same Windows\temp folder. These systems are also located in multiple geographic locations; not same network... It is always a 3 or 4 character named file with only letters or numbers with tmp as the extension. I'm wondering if it is a possible bad DAT update.... This just started yesterday evening.
If it was a bad DAT update we would hear it from more people. But so far... you happen to know from which application these temp files are coming from?
By the road... since you're corporate... support for corporate products can be found here: CORPORATE PROTECTION IN BUSINESS ENVIRONMENT
I will get them to update to see if there is an improvement.
That may resolved the Generic.dx!byi. However, we are getting Generic.dx!cqw:
(Which I just refreshed and noticed the new updated DAT version: 5706)
I updated to the latest 5706 DAT and selected the "check for false positive" and it came back saying it scanned it and it was NOT a false positive. Still doesn't rule out possible bad DAT/upgrade I imagine.
File has already been analysed:
First received: 2008.02.04 13:59:13 UTC
Date: 2009.08.06 10:18:01 UTC [>5D]
My thoughts are that AV is detecting the update files placed in the TEMP folder during the DAT update process and that these files (which contain the signature data because they are or are part of the signature files) are not successfully removed after the update process like they should be; causing any scan or OAS to trigger a detect. If this is the case, then the files are not an actual Trojan, but just a file possibly containing the same code. Thoughts?
We are up to a few thousand systems detecting this now over many locations.
Have asked if a tech or someone from Avert labs can have a look at this thread. Hopefully will hear something soon...
Can you contact the Enterprise support through their Support Portal?