Jump to content
grahamperrin

Gen:trojan.heur Maybe Quarantined During Installation Of Kb915597

Recommended Posts

Running Immunet Plus 2.0.15.12 alongside (unsupported) Sophos Endpoint Security and Control 9.

 

Booting from C: with Windows XP Professional Service Pack 3.

 

(D: has outdated Windows Vista Enterprise but I rarely boot from that volume.)

 

Following boot and log on to XP, a yellow shield signified an automated Microsoft Update. The shield disappeared after maybe 9% download complete, which made me suspicious.

 

The machine seemed to be slower than usual (blue shield for Sophos didn't appear in good time, and I don't recall seeing the Immunet Protect icon in the tray) so I opted to (a) log out or (B) restart the OS (I can't remember which I did, sorry).

 

Following log on to XP, Immunet Protect alerted me to quarantine of

Gen:Trojan.Heur.wf@@YEnq1Lki

relating to a file in a subdirectory of D:

 

Looking at history in Immunet Protect, I wasn't immediately convinced so I ran Microsoft Update, found and installed a definition update for Windows Defender http://support.microsoft.com/kb/915597/en-gb (note, however, that Windows Defender is not enabled).

 

I see nearby http://forum.immunet.com/index.php?/topic/313-false-positive-updating-windows-defender/

False Positive Updating Windows Defender

 

http://www.google.co.uk/search?q=%22Gen:Trojan.Heur.wf@@YEnq1Lki%22 finds nothing but

http://www.google.co.uk/search?q=%22Gen:Trojan.Heur%22 finds topics in a BitDefender forum.

 

Might this be a false positive involving TETRA?

 

Screen shots attached.

 

Whether the quarantined file, which has a .temp suffix to its name, is still on disk, I don't know …

post-133-084515700 1285114029_thumb.png

Share this post


Link to post
Share on other sites
Whether the quarantined file, which has a .temp suffix to its name, is still on disk, I don't know …

 

Directory

D:\02e0b937bd0f64969d1a0c

no longer exists, sorry … but configuration on this machine is currently to send files to the cloud, so maybe you have it there already.

Share this post


Link to post
Share on other sites

Directory

D:\02e0b937bd0f64969d1a0c

no longer exists, sorry … but configuration on this machine is currently to send files to the cloud, so maybe you have it there already.

 

 

It was a detect in the Tetra engine, and a false one. It's fixed now. Thanks Graham and thanks to the other user who mailed me directly.

 

Best,

al

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...