Threat Level: green Handler on Duty: Tom Webb

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

CA eTrust Antivirus [was] flagging lsass.e x e

Published: 2006-09-01
Last Updated: 2006-09-04 18:59:57 UTC
by Joel Esler (Version: 3)
0 comment(s)
Reader Alan writes in to tell us that apparently "an overnight signature update to the VET engine (30.3.3054) on CA eTrust Antivirus has begun to flag the LSASS.E X E service of Windows 2003 server as being infected with Win32/Lassrv.B."

"Some Win2k3 servers have been failing and unable to re-boot, since the service (exe) was removed by the virus software.

CA has released an update to VET (30.3.3056) that seems to have corrected the problem, but in some cases the damage has already been done."

It seems that CA accidentally flagged Lsass.e x e as a bad file.  Reminiscent of the McAfee .xls debacle of not too long ago.

Updates:
  • Mark Wade from CA wrote in with the link to the information CA is having publicly for this on their support site.
  • One of our regular readers pointed us to the technet blog on SBS for more recovery information.

----------------
Joel Esler
jesler{at}isc.sans.org
Keywords: ca etrust fp lsass
0 comment(s)
Diary Archives