Jump to content


- - - - -

Immunet unable to quarantine locked files


This article contains some basic information on why Immunet Protect may fail to quarantine a file, and provides a couple manual solutions.
Occasionally Immunet Protect may detect a malicious file but fail to quarantine it, as shown here:



In some instances Immunet will report the file as being successfully quarantined but won't actually remove the file from it's original location. This same behavior has also been reported as Immunet detecting the same malicious file every time it's scanned. This usually occurs if the computer was already infected with a virus before Immunet was installed.

First, a little background on why this might happening. When Windows runs a program the file that contains that program, and any other files in use by that program, become "locked." This locking prevents the user and any other programs from moving or deleting the files while they're still in use. This typically occurs with DLL files but can occur with other file types too.

Immunet Protect handles this scenario by first scanning all the programs running in memory and stopping any known malicious ones. Once stopped, they can be quarantined.

The problem occurs when a non-malicious program is tricked into locking a malicious file. For example, consider the case where a user accidentally installs an Internet Explorer toolbar that contains a virus. In this case we have two files: the safe IE.exe file that runs Internet Explorer, and a vir_toolbar.dll file responsible for displaying the malicious toolbar inside of IE. If we run a scan in this scenario vir_toolbar.dll will be detected as malicious; however because IE.exe is running, non-malicious, and currently using (i.e. locking) vir_toolbar.dll, it can't be successfully quarantined.

While Immunet Protect will stop some non-malicious programs in order to unlock and quarantine viral files when possible, is important to note that not all non-malicious programs can be stopped safely. For instance, consider the case were your running a non-malicious copy of Microsoft Word that locks a malicious DLL file. In this case, stopping Word to clean the DLL might cause the user to lose any unsaved work.

Solution 1

The fastest and easiest way to get a virus removed is to call a professional! Virus removal can be tricky business and often the difference between a successful fix and having to do a full system format/restore/reinstall comes down to having someone with professional experience on your side.


Solution 2

If you are determined to skip professional help and want to try and remove the virus yourself here is the general work flow: you need to figure out which program(s) are locking the file, stop them, and then re-scan:

1) Close all the running programs and tray icons you can.

2) Start Immunet Protect and run a full system scan. Once it completes, check the "quarantine" history:



and note the full paths to any files that filed to quarantine:



3) Download a copy of Process Explorer from http://download.sysinternals.com/files/ProcessExplorer.zip and extract it.

4) Start Process Explorer by running procexp.exe, then select Find -> File handle or DLL. Enter the file name of one of the files that failed to quarantine in step 2 and click Search:



The search window will take a few seconds and then display a list of all the processes using the file. If Process Explorer doesn't find anything please see caveat below*.

5) Now click on any of the results in the Process Explorer Search Window:



This will highlight the process in the main Process Explorer Window:



6) Note the process name, then click Process -> Kill Process Tree (or "Kill Process" if "Kill Process Tree" is unavailable). Don't kill "procexp.exe" as this will stop Process Explorer, or "iptray.exe" as this will stop Immunet Protect.

Beware, killing some processes may crash Windows. If this happens restart from step 4, and don't kill that same process this time around*.



7) Repeat steps 5 and 6 until you have killed all the processes possible without killing procexp.exe, iptray.exe, or any processes that caused Windows crashes.

8) Now wait for a minute and watch for any of the malicious processes getting automatically restarted (i.e. if repeat the search from step 3). If you find the processes has been restarted continue with the next step anyway*.

9) At this point we have hopefully done enough to unlock the malicious file. Run a full system scan with Immunet and this time the malicious file should be successfully quarantined. Reboot.


Caveat*

Unfortunately there are viruses clever enough that Process Explorer's search can't find them, can't kill them, or can't kill them without crashing Windows. These are particularly nasty virus' and fixing them is beyond the scope of this document. The best we can do is offer you some general tips on where to go from here:
-Try the general malware removal instructions found here
-Refer back to Solution 1.




0 Comments