docboy Posted August 16, 2021 Report Share Posted August 16, 2021 (edited) Just saw a few of these message pop up this morning on the server: "Threat detected, quarantined failed." All "threat files" are *.tmp files and are located in Windows\Temp folder. Some files are quarantined and then I deleted them within Immunet. Some files were not able to be quarantined, and I was not able to delete them within Immunet. I tried to physically search for the suspicious files on the server, but could not find them. Any suggestions on what is causing these suspious tmp files to pop up? FWIW, the latest Windows update to Server 2012 R2 was installed recently. Not sure if this update is of any relevance. Edited August 16, 2021 by docboy Link to comment Share on other sites More sharing options...
ritchie58 Posted August 17, 2021 Report Share Posted August 17, 2021 Hi docboy, Almost always when Immunet fails to successfully quarantine a file is because it is a 'temp file' that no longer exists. It has been deleted either by the program that created it when it closed or by Windows itself if it was using that .tmp file directory. I doubt that this issue has anything to do with the recent Windows update you received unless it was (Heaven forbid!) the update files being quarantined. Yikes!! The files that got quarantined, what is the detection name and what program was responsible for the quarantine responses? Regards, Ritchie... Link to comment Share on other sites More sharing options...
docboy Posted August 17, 2021 Author Report Share Posted August 17, 2021 (edited) 32 minutes ago, ritchie58 said: Hi docboy, Almost always when Immunet fails to successfully quarantine a file is because it is a 'temp file' that no longer exists. It has been deleted either by the program that created it or by Windows itself if it was using that .tmp file directory. I doubt that this issue has anything to do with the recent Windows update you received unless it was (Heaven forbid!) the update files being quarantined. The files that got quarantined, what is the detection name and what program was responsible for the quarantine responses? Regards, Ritchie... Hi Ritchie, I'm not sure what program was responsible. I would post a pic, but the image size is too big. The message says: Even Type: Quarantine Failed Detection Name: Clam.Win.Malware.Generic-9886394-0 File Path: C:\Windows\Temp\WA******.tmp Odd that some "affected" *.tmp files I can delete and some *.tmp I cannot. Any ideas where these files are coming from and are they legitimate threats? Thanks, Docboy Edited August 17, 2021 by docboy Link to comment Share on other sites More sharing options...
ritchie58 Posted August 17, 2021 Report Share Posted August 17, 2021 Mmm. Yes, I agree it is strange that some .tmp files got quarantined and some not! That is unusual behavior for Immunet. Since this is a ClamAV detection I would suggest that you contact the devs at ClamAV regarding this issue. Here's a URL link that will take you to their malicious/suspicious file reporting segment of their site. https://www.clamav.net/reports/malware Link to comment Share on other sites More sharing options...
docboy Posted August 17, 2021 Author Report Share Posted August 17, 2021 7 minutes ago, ritchie58 said: Mmm. Yes, I agree it is strange that some .tmp files got quarantined and some not! Since this is a ClamAV detection I would suggest that you contact the devs at ClamAV regarding this issue. Here's a URL link that will take you to their malicious/suspicious file reporting segment of their site. https://www.clamav.net/reports/malware Thanks. I submitted a report. I didn't have a malware file to upload, so I just uploaded an image of the "threat" message. Link to comment Share on other sites More sharing options...
ritchie58 Posted August 17, 2021 Report Share Posted August 17, 2021 Great! Since what ever program is instigating this is just using the Windows .tmp file directory that is cause for concern if you can't see the file path to the actual program. It could be encrypted which most malware is these days use. Have you checked Task Manager to see if you have any suspicious/unknown services running? Link to comment Share on other sites More sharing options...
docboy Posted August 17, 2021 Author Report Share Posted August 17, 2021 5 minutes ago, ritchie58 said: Great! Since what ever program is instigating this is just using the Windows .tmp file directory that is cause for concern if you can't see the file path to the actual program. It could be encrypted which most malware is these days use. Have you checked Task Manager to see if you have any suspicious/unknown services running? I am not at the office now, but will check Task Manager tomorrow morning when I go in. Another user posted this some time ago: Not sure if the above user had solved his/her issue. How do I check to see what program the wa*.tmp files that I'm getting are associated with? Not sure where else to click on the file history. An chance these files can be false positives? Link to comment Share on other sites More sharing options...
ritchie58 Posted August 17, 2021 Report Share Posted August 17, 2021 Unfortunately I'm not an expert with Windows Server 2012 but I still would check Task Manager just to weigh on the side of caution. You are possibly right there though, this could be just a FP. Hopefully the crew at ClamAV will get back to you in a timely manner with an explanation. Link to comment Share on other sites More sharing options...
docboy Posted August 17, 2021 Author Report Share Posted August 17, 2021 3 minutes ago, ritchie58 said: Unfortunately I'm not an expert with Windows Server 2012 but I still would check Task Manager just to weigh on the side of caution. You are possibly right there though, this could be just a FP. Hopefully the crew at ClamAV will get back to you in a timely manner with an explanation. Will do. I'll check tomorrow and see what's in Task Manager, and report back. I'll try and post a pic if possible. I don't recall downloading any applications on the server recently, and the server is not used to check emails, so hoping it's a false positive. Link to comment Share on other sites More sharing options...
docboy Posted August 17, 2021 Author Report Share Posted August 17, 2021 (edited) Finally able to post a pic of the event messages: @ritchie58 Edited August 17, 2021 by docboy Link to comment Share on other sites More sharing options...
ritchie58 Posted August 17, 2021 Report Share Posted August 17, 2021 Cool, you got an image uploaded! Ok, WAX files are most commonly used by Windows Media Player & a few other media players. https://file.org/extension/wax Any reason you can think of that some of these files are being seen a possibly malicious? 1 Link to comment Share on other sites More sharing options...
docboy Posted August 17, 2021 Author Report Share Posted August 17, 2021 2 minutes ago, ritchie58 said: Cool, you got an image uploaded! Ok, WAX files are most commonly used by Windows Media Player & a few other media players. https://file.org/extension/wax Any reason you can think of that some of these files are being seen a possibly malicious? I honestly don't know why these files popped up. Error messages showed up suddenly this morning on the server around 3:30am per Immunet. I checked the Windows\Temp folder and could not find any files starting with WA*.tmp. Weird. I haven't used the Media Player on the server before. Perhaps I should locate Media Player on the server and delete it? Link to comment Share on other sites More sharing options...
ritchie58 Posted August 17, 2021 Report Share Posted August 17, 2021 Wow! This is increasingly becoming more strange! Do you allow Administrator access to anyone else, either remotely or in person to this platform? Link to comment Share on other sites More sharing options...
docboy Posted August 17, 2021 Author Report Share Posted August 17, 2021 (edited) 7 minutes ago, ritchie58 said: Wow! This is increasingly becoming more strange! As someone who is into cyber security, do you allow Administrator access to anyone else, either remotely or in person access to this platform? No one else has remote access to the server, except the workstations at the office that communicates with the server by accessing 3 major programs installed on the server, that's it. Only I have direct access to the server. 2 weeks ago an IT tech logged into the server with my permission via a remote program I downloaded. Can't remember the exact name. You think this program is involved? Other than this program that allowed remote access for an 1 hour seession, which the tech has of course logged out from 2 weeks ago, I haven't installed any other program. I did update Firefox on the server recently fwiw. Edited August 17, 2021 by docboy Link to comment Share on other sites More sharing options...
ritchie58 Posted August 17, 2021 Report Share Posted August 17, 2021 Not a bad idea to change your login credentials dude! 1 Link to comment Share on other sites More sharing options...
Robert G. Posted August 17, 2021 Report Share Posted August 17, 2021 (edited) Actually, it's best if you change your passwords on a regular basis, "especially with the most frequently used sites" to avoid hackers accessing sensitive data if the site does get hacked. Edited August 17, 2021 by Robert G. Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now