F-Prot

Brian J Goggin · External Since: Oct 10, 2005 Posts: 9

I installed a new set of virus signature files for F-Prot at about
1.00am BST on 10 October 2005. My scheduled scan at 5.00am then
reported that it found thirteen files infected with "W32/Antinny.Q
(exact)". Foolishly, I had set it to delete infected files, so it has
(inter alia) deleted

C:\Program Files\Common Files\ACD Systems\PlugIns2\RealOptimizer.dat
C:\Program Files\Common Files\ACD Systems\PlugIns2\VBexplorer.ocx
C:\Program Files\Microsoft Office\Excel\OFFICE11\MSOWCW.DLL
C:\Program Files\Microsoft Office\Office10\WEBPAGE.DLL Infection:
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE Infection:
C:\Program Files\Thumbs6\Thumbs.sef Infection: W32/Antinny.Q (exact)
C:\WINDOWS\system32\comct332.ocx Infection: W32/Antinny.Q (exact)

I have reported this to F-Prot and am about to try to undo the damage.
It seems that an even newer version of the signature files is now
available.

bjg

Brian J Goggin · External Since: Oct 10, 2005 Posts: 9

On Mon, 10 Oct 2005 09:51:58 +0100, Brian J Goggin
<myinitialsATmyorganization.ie> wrote:

>I installed a new set of virus signature files for F-Prot at about
>1.00am BST on 10 October 2005. My scheduled scan at 5.00am then
>reported that it found thirteen files infected with "W32/Antinny.Q
>(exact)". Foolishly, I had set it to delete infected files, so it has
>(inter alia) deleted

[...]

I downloaded even newer definitions at about 10.00am BST and scanned a
folder from which F-Prot had been unable to delete "infected" files.
According to the latest definitions, those files are not "infected".

Memo to self: do not set F-Prot to delete files it can't disinfect.

Memo to chap who asked about the usefulness of quarantines: that's
why.

bjg

James Egan · External Since: Jan 19, 2006 Posts: 228

On Mon, 10 Oct 2005 10:25:36 +0100, Brian J Goggin
<myinitialsATmyorganization.ie> wrote:

>Memo to self: do not set F-Prot to delete files it can't disinfect.

It's a mistake you only make once. Actually, if it turns out to be a
real infection, it is better to restore from a backup (if available)
rather than disinfecting since the disinfection isn't always 100% back
to the original. Report only is the way to go. That's all av's not
just f-prot.

Jim.

Brian J Goggin · External Since: Oct 10, 2005 Posts: 9

On Mon, 10 Oct 2005 10:45:55 +0100, James Egan <jegan.TakeThisOut@jegan.com>
wrote:

>It's a mistake you only make once. Actually, if it turns out to be a
>real infection, it is better to restore from a backup (if available)
>rather than disinfecting since the disinfection isn't always 100% back
>to the original. Report only is the way to go. That's all av's not
>just f-prot.

Thankfully, I have backups, and original software. I've never had to
use them before!

bjg

Brian J Goggin · External Since: Oct 10, 2005 Posts: 9

On Mon, 10 Oct 2005 10:25:36 +0100, Brian J Goggin
<myinitialsATmyorganization.ie> wrote:

>I downloaded even newer definitions at about 10.00am BST and scanned a
>folder from which F-Prot had been unable to delete "infected" files.
>According to the latest definitions, those files are not "infected".

F-Prot has now confirmed that the earlier set of virus signature files
("released at 22:58 on 9 Oct 2005") caused problems by detecting false
positives, and that the later set ("released at 00:32 on 10 Oct 2005")
fixed the problem. They apologised for the inconvenience.

For anyone who lost MS Office files, they recomend running the
installation CD.

Happily, my backups worked: the feeling of smug virtue that overcame
me was wondrous to behold.

bjg

Virus Guy · External Since: Aug 05, 2005 Posts: 407

Brian J Goggin wrote:
> Thumbs.sef Infection: W32/Antinny.Q (exact)
> comct332.ocx Infection: W32/Antinny.Q (exact)

Infected with Anthony Quinn ?