Add to del.icio.us     Digg this

August 19, 2009

An Internet security update that ran wild for the CA (Computer Associates) anti-virus software created a huge amount of confusion early this morning. Known as the 33.3.7051 update, it labeled a large number of binaries (most of them .dll and .exe files, including some components of eTrust itself) as infected with something called Std.Win32.

Nevertheless, those corrupted files were still sent off to the quarantine folder, resulting in many disabled computer systems that may be far from easy to recover.

CA immediately issued a statement saying that computer users are strongly advised to block the security update. Temporarily disabling on-access scanning, normally a bad idea, might also be worth considering.

Get the best Linux or Windows Web hosting plan for your website.

"CA have got it so wrong with this update that the Anti-Virus is even renaming core elements of its own program directory. E-Trust could even be deemed a virus in itself," one security analyst notes.

"I had an interesting morning cleaning up after a signature update caused CA's eTrust ITM to detect components of MS Visual Studio and Incredibuild as being infected with the new virus. This seems a bit beyond the usual false positives AV firms sometimes throw out. So far I've had 962 detections and 18 of 'StdWin32'."

CA later issued a statement explaining that the virus was due to an engine overhaul that had obviously gone wrong. Meanwhile, it said that it has developed a remediation tool.

CA then released a new updated anti-malware engine. This new release has resulted in false positive detections of a number of files. CA Threat Manager customers are the only customers being affected by this issue.

This is not a result of signature updates and does not impact CA consumer Internet security products, the company said...

Some observers reported that an updated definition called 34.0.6674 fixes the problem but this remained unconfirmed at the time of writing, so computer users are urged to be vigilant.

To resolve the issue, CA has rolled back the new engine and re-released its previous antimalware engine. CA customer support representatives are on call to answer customer questions and to provide remediation support. A remediation tool to rename the quarantined files is now available through CA support and will soon be accessible online.

Understandably, CA is working fast to resolve this issue, and to assist any customers who have been affected, as well as to identify the root cause of the incident. "We apologize for this inconvenience and look forward to the roll out of our new antimalware engine, which will ultimately offer our customers many benefits including enhanced malware protection and improved performance," said a posting on the CA website.

The computer software company had other and similar problems with another eTrust update in July. That update falsely tagged important Windows system files as potentially malign before dispatching them into quarantine, rendering those systems useless or extremly slow at best.

Add to del.icio.us     Digg this

Source: CSAC.

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.

You can link to the Internet Security web site as much as you like. Read our section on how your company can participate in our reciprocal link exchange program and increase your rankings in the major search engines such as
Google and all the others.