locked
OneCare backup file causing virus alert on server RRS feed

  • Question

  • After my upgrade to Windows Live OneCare 2.0, one of the 2 Vista PCs I have began failing it's scheduled backup.  The backup would began and after a while I would get "Backup cannot continue" dialog.  I am currently backing up to a share on a W2k3 R2 server and was not having any problems prior to the upgrade.

     

    Checking the server logs, I found that my server virus scanning software (McAfee VirusScan Enterprise 8.0.0) is blocking some backup files with the following message:

     

    1/16/2008 8:11:54 PM Moved (Clean failed)  MISSDEES3\home System:Remote D:\Backup\Windows OneCare Backup\MISSDEES4\2008\Files\Part 25.ZIP\PART 25.ZIP Exploit-ByteVerify (Trojan) 192.168.0.54

     

    I have done a complete scan of the problem Vista system and OneCare found no viruses.  Is there something in the format of the backup files that could be causing an issue with my server VirusScan?

     

     

    Thursday, January 17, 2008 5:44 AM

Answers

  • Thanks for you help on this.  I did a full scan with Kaspersky and found no other files with problems.  I have sent the offending file off to Microsoft.  I removed the file from my system and restarted a full backup.  The backup completed successfully.

     

    Gene

    Thursday, January 17, 2008 7:58 PM

All replies

  • I've moved your post to the Antivirus section as it would appear that the failure is due to OneCare missing an infection or a false detection by McAfee on the destination box.

    I'd work backwards and see if you can recover the quarantined zip file from the server and verify the infection with McAfee support and also through the Antimalware reporting path - http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=662566&SiteID=2

    You may also want to consider scanning your PC where OneCare resides with one of the free online scanners and if anything is found, contact OneCare support.

    If you are able to recover the Part25.zip file, you should be able to open it to view the source files to see what files from your local PC should be looked at closely, too.

    -steve

     

    Thursday, January 17, 2008 1:43 PM
    Moderator
  • On your advice I did the following to try and isolate the problem:

     

    1.  I was able to find the Part25.zip file on the server which McAfee had quarantined.  I was not able to open it since McAfee OnDemand scan repeatedly tagged it as infected.  I am reluctant to turn off the scanner.

     

    2.  I was able to open Part24.zip and saw what the last clean files were before the failure so I could focus my attention.

     

    3.  I downloaded and installed a trial of Kaspersky Anti-Virus.  A scan on the focused area detected the following problems:

     

    detected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\home\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\63f76a5b-635943c7/BaaaaBaa.class

    detected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\home\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\63f76a5b-635943c7/VaaaaaaaBaa.class

    detected: Trojan program Trojan.Java.ClassLoader.ao File: C:\Users\home\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\27\63f76a5b-635943c7/Baaaaa.class

    I will go ahead and do a complete system scan with Kaspersky to see if any other problems are detected.  OneCare may be missing something since both Kaspersky and McAfee have detected viruses.

     

    Thursday, January 17, 2008 3:19 PM
  • I would not turn off the scanner on the server, but can you release the zip file from quarantine and copy it back to the PC that we suspect is infected? The infection is contained in the zip file, so it is harmless. Once it is off the server, you can open, but not execute anything found within it, and you can submit the file to Microsoft.

    It does appear that there's something in your Java cache that is suspect, based on the Kaspersky scan. I'm sorry that the infected files were apparently missed by OneCare, but submitting the zip will be helpful in getting the signatures updated.

     

    -steve

    Thursday, January 17, 2008 6:17 PM
    Moderator
  • Thanks for you help on this.  I did a full scan with Kaspersky and found no other files with problems.  I have sent the offending file off to Microsoft.  I removed the file from my system and restarted a full backup.  The backup completed successfully.

     

    Gene

    Thursday, January 17, 2008 7:58 PM
  • Excellent. Thanks very much for your work on this and for submitting the files.

    -steve

     

    Friday, January 18, 2008 1:59 AM
    Moderator