Contact Us:

sales@sadasystems.com
+1 818 927-3660


CA Antivirus Deletes Windows 2003 File – Fix

Details are below, but most importantly, so is the link on how to fix it.

==

Some Windows 2003 users have been experiencing problems with the operating system after CA antivirus software wrongly detected part of the operating system as malicious software last week.

At the heart of the problem is part of Windows’ built-in security, a file called Lsass.exe. This was wrongly detected as a virus by CA’s eTrust software and

The cause of the confusion seems to be Lsass.exe being mistaken for the Trojan Win32/Lassrv.B.

Lassrv.B was discovered in the wild on Aug. 24 and was rated as a very low threat. The problem for Windows 2003 and eTrust users occurred in a subsequent signature update from CA on Friday.

==

The Fix is Here:

Details are also Below, from CA:

Document ID:

TEC405236


Technical Document

Title: Why is my server crashing after I get a detection on the Win32/Lassrv.B virus?

There are issues with a malware sample and Vet DAT signature 30.3.3054. The realtime/scheduled scan policies need to be temporarily switched to the Inoculate engine and the signatures updated on the machines. As of September 01, 2006, Vet signature 30.3.3056 will address this; please download the updates.

If the server is down and can not boot in safe mode, the following may need to be done to get it back up to a working state.

  1. Perform a web search on “NTFS boot floppy” (http://www.ntfs.com/boot-disk.htm).
  2. Boot the server from the floppy disk you created in step 1.
  3. Copy the lsass.exe to the system32 folder.
  4. Boot into safe mode.
  5. Start -> Run -> regedit.
    HKLMSoftwareComputerAssociatesCurrentVersionInternalSettings.
    Set RPCThreadContext to 0 so the local machine’s policies can be changed.
  6. Change the realtime settings to the Inoculate engine.
  7. Boot into normal mode.
  8. If the eTrust Admin server is one of the servers affected by this, make sure to change the policies and push them to the other machines so when they are brought back up they are not forced to use Vet and the affected signature.
  9. Perform an update now on the signatures.
Topics:

Leave a comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

×

×

×

×

×

×

×

×

×

×

×

×

×

×

×

×

×