" />

Tech Geek and More

Technology Explained for All

AD IDrive Remote Backup

Category Archives: CA Anti-Virus

Alert: CA Anti-Virus does it again! Releases an update that start treating system files like virus

    CA-eTrust-Anti-Virus For the second time in ONE MONTH, CA releases an update that incorrectly treats legit files as virus infected files.  The “False positive” this time reports that windows and various programs files are infected with the StdWin32 virus.  The issue occurred Thursday 8/13 but I still am getting reports from some clients of machines that are basically broken still from this update today. The problem this time comes for those using the CA Threat Manager version of software ( http://www.ca.com/us/products/product.aspx?ID=5926 (http://www NULL.ca NULL.com/us/products/product NULL.aspx?ID=5926) if you would like to see what’s different in Threat Manager)

     The problem release quarantined (and renamed the files to .AVB) various binary files, breaking programs like MS Visual Studio,Exchange and Arcserve.  It seems that eventually it even started to detect some of CA Anti-Virus own files as infected files and moving even those files into quarantine.  The net result of all of this was a really messed up system. 

CA released the following statement:

“Last night, CA released a new updated antimalware engine. This new release has resulted in false positive detections of a number of files. CA Threat Manager customers are the only customers being affected by this issue. This is not a result of signature updates and does not impact CA consumer Internet security products.
To resolve the issue, CA has rolled back the new engine and re-released its previous antimalware engine. CA customer support representatives are on call to answer customer questions and to provide remediation support. A remediation tool to rename the quarantined files is now available through CA support and will soon be accessible online.
CA is aggressively working to resolve the issue, assist any customers who have been affected, as well as identify the root cause of the incident. We apologize for this inconvenience and look forward to the roll out of our new antimalware engine, which will ultimately offer our customers many benefits including enhanced malware protection and improved performance.”

Additionally from CA Tech Support

For the files which are already renamed or quarantined, we have uploaded the rename and un-quarantine tool to below mentioned link.
ftp://ftp.ca.com/outgoing/8888888/17943192-01 (ftp://ftp NULL.ca NULL.com/outgoing/8888888/17943192-01)
File name: Renameavb2exe_with_date.rar
File Name: CA_Unquarantine.rar
File Name: Password.txt

Please download and run the rename tool or un-quarantine tool first to restore the files and then update the machines to version 34.0.0.6674.

Thanks
Tech Support

(SOAPBOX)

     With all the increased Malware and Virus threats out there I understand why there is a need to update signature files on any Anti-Virus program every few hours.  However, considering how much more of our lives are now depended to online activity, AV companies can NOT get careless with things like this update.  For CA this is the 2nd time in a month, and I’m sure this has got to cost them customer.  I have recommended CA to my clients for a few years now as McAfee and Symantec have been bloatware in the past, but it is really hard to continue support for a product that makes the same mistake 2x’s in such a short time frame.

Tech: CA Anti-Virus software fails during update

computer_associates  One of the issues I have faced this week with a client is that they have CA A/V installed and on all 9 of their PC’s it would fail on update.  You would get a message that says that “Package failed to install” then it would automatically try and download the update and try again.  It seems that this can be a known CA issue (even though the CA solution did not work for me).  Here is the solution from the CA support site:

Problem Resolution

1. If updates have never happened in the past on this PC, then do check if your system requirements meet minimum requirements (http://crm NULL.my-etrust NULL.com/login NULL.asp?username=guest&target=DOCUMENT&openparameter=3157) for CA Anti-Virus. (depending on your subscription)

2. Disable your firewall (http://crm NULL.my-etrust NULL.com/login NULL.asp?username=guest&target=DOCUMENT&openparameter=2636) to check if this is causing a problem.

CA Personal Firewall will not block your CA updates.

However, if you are not using CA Personal Firewall, and if updates are working with your firewall disabled, then add the following websites to the exception list of your firewall (your firewall vendor or firewall help manuals will help you with this step):
http://consumerdownloads.ca.com/ (http://consumerdownloads NULL.ca NULL.com/)
http://etrustdownloads.ca.com/ (http://etrustdownloads NULL.ca NULL.com/)

3. If your computer is behind a proxy, then configure CA Anti-Virus with proxy settings (http://crm NULL.my-etrust NULL.com/login NULL.asp?username=guest&target=DOCUMENT&openparameter=1888).

4. Force Update (https://remoteassist NULL.ca NULL.com/supportbridge/jsp/selfserve/processScriptRequestOwnWindow NULL.jsp?divisionID=7&scriptID=160) the CA Anti-Virus using our hot fix (https://remoteassist NULL.ca NULL.com/supportbridge/jsp/selfserve/processScriptRequestOwnWindow NULL.jsp?divisionID=7&scriptID=160).

5. Replace signature files manually:
a)  Delete or rename the following signature files (found in the location where you installed CA Anti-Virus):
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\vet.dat
C:\Program Files\ca\CA Internet Security Suite\CA Anti-Virus\vete.dll
C:\Program Files\ca\CA Internet Security Suite\CA Anti-Virus\isafeEngine.dll
C:\Program Files\ca\CA Internet Security Suite\CA Anti-Virus\caavresource.dll
C:\Program Files\ca\CA Internet Security Suite\CA Anti-Virus\caavproduct.dll
C:\Program Files\ca\CA Internet Security Suite\CA Anti-Virus\modules.txt

b)  Empty your recycle bin

c)  Right click on the CA Shield icon on the bottom right, and choose Update Product.

update ca

6. At this point, if the update fails, then please contact Technical Support through the additional support options below.
7. To fix this issue without contacting Technical Support, please follow these guidelines:
a)  Go to Start > Control Panel > Add/Remove Programs list and uninstall CA Anti-Virus alone from here.
b) Go through the on-screen instructions to uninstall and restart the PC.
c) Download a fresh copy (http://crm NULL.my-etrust NULL.com/login NULL.asp?username=guest&target=DOCUMENT&openparameter=3111) of your product, from your online CA account.
d) Run the downloaded setup and follow on-screen instructions to install.
e) Once the installation is complete, restart your PC and your CA Anti-Virus will be up to date.

I did everything CA said step by step and even after the reinstall CA would not update. I even tried on 2 of the pc’s before contacting CA support with no luck.  Once I spoke to CA support, I had about the same amount of luck as all they could say is that because CA was “broken” when Conflickr (Yep the same one) infected the pc’s on this network, that the only way to get CA to work again was to reinstall Windows.  (Yes like I want to have to reinstall 8 different pc’s and then reload software including some custom applications that are from a different vendor and I had no clue about).

So I got an “old school” idea.  Using the CA files already loaded and working fine from another pc. I went back in and uninstalled CA on one of the pc’s.  Then rebooted to clear the last of the files …… The I went thru the following steps

  1. On restart – reinstalled a fresh copy of CA and rebooted again for safe measure.
  2. On this restart – I went into Task Manager

a. To start Task Manager, take any of the following actions:

  1. Press CTRL+ALT+DELETE, and then click Task Manager.
  2. Press CTRL+SHIFT+ESC.
  3. Right-click an empty area of the taskbar, and then click Task Manager

3. In task Manager – Highlight the following files and select End Process on each one.

    • CAVRID.exe
    • CCprovsp.exe
    • CCTray.exe
    • ISafe.exe
    • vetMsg.exe

4. Now go to c:\program files\CA\CA Internet Security Suite on the PC with a working copy of CA and copy all the files in the CA Internet Security folder  (Note I said copy not cut) onto a USB flash drive or other storage area (If you know how to transfer via the network you can do that to).  Once you have the files, go to the pc with the Bad CA, and paste all the files to the same c:\program files\CA\CA Internet Security Suite  location on the broken CA pc.  You will be prompted to replace files, say yes to all.

5.  Now go to start – programs – CA – CA Internet Security – Update Product and then select the update button.  CA will now update and prompt you that your Software is up to date.

6. Lastly reboot 1 more time and you now have a full recovered and working copy of CA.

Software: (UPDATE) CA Apologizes for A/V Issue

     The following post (Apology) comes directly from CA ( http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=212102 ) concerning the Anti-Virus issues that started last week (http://techgeekandmore.wordpress.com/2009/07/09/alert-ca-anti-virus-update-for-79-causing-problems/ (http://techgeekandmore NULL.com/2009/07/09/alert-ca-anti-virus-update-for-79-causing-problems/) ).

computer_associates

Security Advisor News

False positive detection of Win32/Amalum

Published: 9 Jul 2009

“We apologize to our Internet security customers for the recent false positive detection of Win32/Amalum. We detected the errant file quickly and worked to resolve the issue as fast as possible to minimize its effect to our customers.

Historically, CA has a very low rate of false positive detections. We have stringent processes in place to make sure we are delivering the most comprehensive detection of malware. When we inspect a program for malware, our practice is to take all necessary steps to protect the customer rather than risk subjecting their systems and infrastructure to a security breach. Unfortunately, as malware has increased exponentially this has brought with it the increased possibility for false positives from all vendors.

We take this incident seriously and will learn from it to further improve our processes to prevent this from happening in the future. We will also continue to improve our detections and protect our customers while continuing to maintain the best quality possible.”

False Positive Alert

Issue: A recent CA DAT file release contained improperly formed malware detections that errantly detected clean files from Microsoft Windows Service Pack 3 and from the commercial Cygwin application. Affected files will be detected as “Win32\Amalum” variants with extensions such as ZZNRA, ZZOFK, ZZNPB, and ZZNRA.

Problem DAT: 6604 released July 8, 2009 at 11:00am EST

Impact: All files falsely detected as malware by these errant signatures will be quarantined and renamed with the following text appended to the file name “*.AVB”. This will prevent the affected files from running as the “.exe” file extension was changed. Please note the affected files remain intact as only the file extensions were modified.

Corrected DAT: 6606 released July 9, 2009 at 3:30am EST

Resolution: Update DAT files to DAT version listed above or later. ISS users should restore affected files from quarantine using the GUI. ITM customers should search local hard drives for files with the extension .AVB and manually rename to their original file extension by removing the appended text on the original file name. Please contact CA Support if further assistance is required. A tool to search a machine for files with .*.AVB extension and restore them to their original extension is available on request from support.

Alert: CA Anti-Virus update for 7/9 causing problems (UPDATED 6pm EST US)

UPDATE: 6PM (EST US).  CA has release a new update file for CA Anti-Virus that corrects the issues that have occurred with the false positives.  To update your system, just right mouse click on the shield that is in the systray (The icon next to the time example below), and then left click on update product.  This will get you the updated files……

It is also recommended that you still verify that no files listed with the W32/Alalum infection are in quarantine.  For a how to, just follow the 7 steps below from the original post.

*********************************************

On Saturday 7/4 reports started that McAfee Anti-virus was breaking pc’s because of an Anti-Virus update that was quarantining Windows System files as viruses ( http://techgeekandmore.wordpress.com/2009/07/04/alert-if-your-a-mcafee-anti-virus-user-do-not-update-your-av-until-you-see-this/ (http://techgeekandmore NULL.com/2009/07/04/alert-if-your-a-mcafee-anti-virus-user-do-not-update-your-av-until-you-see-this/) ).

Well it seems that someone else wasn’t paying attention.  As of this morning I have received numerous reports from clients reporting that their CA Antivirus is showing Virus alerts for the  W32/alalum virus and the files that were being reported appeared to be Windows systems files.  CA was quarantining those files as well.  When this 1st started I assumed it was an isolated issue but with the client messages concerning this coming in more and more this morning, this definitely seems to be a wide spread issue.

CA Virus Notice

The issue appears to have been caused by an update the was released within the past 12 hours as CA Anti-Virus is set up to check for updates every few hours if your have the auto update feature turned on.

The biggest concern is that when these files are quarantined, if you reboot, there is a good chance that your machine will not restart.  I had 2 clients so far “brick” their pc’s because of the restart.  This point is made very clear as the WFP (Windows File protection) comes up saying that “Files that are required to run windows properly have been replaced”…… So far all reports (at least) from the clients I deal with show that CA Anti-virus 2007 – 2009 are affected.

From the CA Forums ( http://homeofficeforum.ca.com/homeofficeforum/forumdisplay.php?f=12 (http://homeofficeforum NULL.ca NULL.com/homeofficeforum/forumdisplay NULL.php?f=12)  http://homeofficeforum.ca.com/homeofficeforum/showthread.php?t=4837 (http://homeofficeforum NULL.ca NULL.com/homeofficeforum/showthread NULL.php?t=4837) ) you will see many others also reporting the same issue.

Here are the instructions that I am passing on to my clients as this time.

1) Open CA Anti-virus by double clicking the shield looking icon in the systray (That is in the lower right corner by the clock)

2)  The Security Overview window will open (Example shown here). Under the CA Anti-Virus you will see “Open advanced settings”.  Click that link. Ca Overview

3) Once you are there you will see the main overview window. From here click on the left side where it says Quarantine.

CA main page

4) You will then see the list of files that are quarantined.  Look for any file marked infected with W32/amalum (there is an additional part to the name after amalum but will be different on most pc’s). Highlight all items that are showing infected with amalum and then click on restore.  NOTE***That if you have another file in quarantine that shows something other than amalum as the Infection then that is probably an actual virus infection (I will post info in a little while on clearing actual viruses).  Once the files are restored you can close the CA windowsQuarantine list

4A) You will be prompted to say do you want to restore. Click on ok for each message

restoring CA

5)  At this point with no files in quarantine you should be able to hit cancel on the WFP. WFP

6) You will be prompted for keeping changed files click yes to this message.  wfp2

7) At this point restart PC.

CA appears to have acknowledged the issue and is supposed to be releasing an updated definitions files shortly.  I will update again once I find out more.

Ads by Google

View in: Mobile | Standard