Jump to content

Threat detected, quarantined failed


docboy
 Share

Recommended Posts

Just saw a few of these message pop up this morning on the server: "Threat detected, quarantined failed."  All "threat files" are *.tmp files and are located in Windows\Temp folder.

Some files are quarantined and then I deleted them within Immunet.

Some files were not able to be quarantined, and I was not able to delete them within Immunet. I tried to physically search for the suspicious files on the server, but could not find them.  Any suggestions on what is causing these suspious tmp files to pop up?

FWIW, the latest Windows update to Server 2012 R2 was installed recently. Not sure if this update is of any relevance.

Edited by docboy
Link to comment
Share on other sites

Hi docboy,

Almost always when Immunet fails to successfully quarantine a file is because it is a 'temp file' that no longer exists. It has been deleted either by the program that created it when it closed or by Windows itself if it was using that .tmp file directory.

I doubt that this issue has anything to do with the recent Windows update you received unless it was (Heaven forbid!) the update files being quarantined. Yikes!!

The files that got quarantined, what is the detection name and what program was responsible for the quarantine responses?  

Regards, Ritchie...

  

Link to comment
Share on other sites

32 minutes ago, ritchie58 said:

Hi docboy,

Almost always when Immunet fails to successfully quarantine a file is because it is a 'temp file' that no longer exists. It has been deleted either by the program that created it or by Windows itself if it was using that .tmp file directory.

I doubt that this issue has anything to do with the recent Windows update you received unless it was (Heaven forbid!) the update files being quarantined.

The files that got quarantined, what is the detection name and what program was responsible for the quarantine responses?  

Regards, Ritchie...

  

Hi Ritchie,

I'm not sure what program was responsible.  I would post a pic, but the image size is too big. The message says:

Even Type: Quarantine Failed

Detection Name: Clam.Win.Malware.Generic-9886394-0

File Path: C:\Windows\Temp\WA******.tmp

Odd that some "affected" *.tmp files I can delete and some *.tmp I cannot.  Any ideas where these files are coming from and are they legitimate threats?

Thanks,

Docboy

Edited by docboy
Link to comment
Share on other sites

Mmm. 

Yes, I agree it is strange that some .tmp files got quarantined and some not! That is unusual behavior for Immunet.

Since this is a ClamAV detection I would suggest that you contact the devs at ClamAV regarding this issue.

Here's a URL link that will take you to their malicious/suspicious file reporting segment of their site. https://www.clamav.net/reports/malware

Link to comment
Share on other sites

7 minutes ago, ritchie58 said:

Mmm. 

Yes, I agree it is strange that some .tmp files got quarantined and some not! 

Since this is a ClamAV detection I would suggest that you contact the devs at ClamAV regarding this issue.

Here's a URL link that will take you to their malicious/suspicious file reporting segment of their site. https://www.clamav.net/reports/malware

Thanks. I submitted a report.  I didn't have a malware file to upload, so I just uploaded an image of the "threat" message.

Link to comment
Share on other sites

Great!

Since what ever program is instigating this is just using the Windows .tmp file directory that is cause for concern if you can't see the file path to the actual program. It could be encrypted which most malware is these days use.

Have you checked Task Manager to see if you have any suspicious/unknown services running?

Link to comment
Share on other sites

5 minutes ago, ritchie58 said:

Great!

Since what ever program is instigating this is just using the Windows .tmp file directory that is cause for concern if you can't see the file path to the actual program. It could be encrypted which most malware is these days use.

Have you checked Task Manager to see if you have any suspicious/unknown services running?

I am not at the office now, but will check Task Manager tomorrow morning when I go in.

Another user posted this some time ago:

Not sure if the above user had solved his/her issue.

How do I check to see what program the wa*.tmp files that I'm getting are associated with?  Not sure where else to click on the file history.  An chance these files can be false positives?

 

 

Link to comment
Share on other sites

Unfortunately I'm not an expert with Windows Server 2012 but I still would check Task Manager just to weigh on the side of caution.

You are possibly right there though, this could be just a FP.  Hopefully the crew at ClamAV will get back to you in a timely manner with an explanation. 

Link to comment
Share on other sites

3 minutes ago, ritchie58 said:

Unfortunately I'm not an expert with Windows Server 2012 but I still would check Task Manager just to weigh on the side of caution.

You are possibly right there though, this could be just a FP.  Hopefully the crew at ClamAV will get back to you in a timely manner with an explanation. 

Will do. I'll check tomorrow and see what's in Task Manager, and report back. I'll try and post a pic if possible.

I don't recall downloading any applications on the server recently, and the server is not used to check emails, so hoping it's a false positive.

Link to comment
Share on other sites

2 minutes ago, ritchie58 said:

Cool, you got an image uploaded!

Ok, WAX files are most commonly used by Windows Media Player & a few other media players. https://file.org/extension/wax

Any reason you can think of that some of these files are being seen a possibly malicious?

 

 

I honestly don't know why these files popped up.  Error messages showed up suddenly this morning on the server around 3:30am per Immunet.  I checked the Windows\Temp folder and could not find any files starting with WA*.tmp.  Weird.

I haven't used the Media Player on the server before.  Perhaps I should locate Media Player on the server and delete it?

Link to comment
Share on other sites

7 minutes ago, ritchie58 said:

Wow! This is increasingly becoming more strange!

As someone who is into cyber security, do you allow Administrator access to anyone else, either remotely or in person access to this platform?

No one else has remote access to the server, except the workstations at the office that communicates with the server by accessing 3 major programs installed on the server, that's it.  Only I have direct access to the server.

2 weeks ago an IT tech logged into the server with my permission via a remote program I downloaded. Can't remember the exact name.  You think this program is involved?  Other than this program that allowed remote access for an 1 hour seession, which the tech has of course logged out from 2 weeks ago, I haven't installed any other program.  I did update Firefox on the server recently fwiw.

Edited by docboy
Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...