Jump to content
Pablo Espinosa

Trend Micro warning when VIPM checks network

Recommended Posts

Dear JKI Administrator,

 

For years I have not only used your VIPM, but also recommended throughout my organization. I believe your libraries provide a great support for developers, and that is precisely why I’d like to express the following concern.

 

As specified in this post, I have tried many things to solve a “security issue†that has blocked me (and anyone in my company, for the last few days) to access the jki libraries, and apparently we have found the problem: With the aid of my IT team, we found that either the location or the libraries themselves contain virus; and that’s why my very strict IT policy is blocking the mirrors and/or library files.

 

We managed to plug one of the computers using the VIPM directly to the web (bypassing my company’s network), and when the VIPM started downloading the libraries, the antivirus application on that PC detected the incidents depicted in the log file image attached.

 

In fact, these are the malicious executable files the antivirus found:

 

http://threatinfo.trendmicro.com/vinfo/vir...PAK_Generic.001

 

http://threatinfo.trendmicro.com/vinfo/vir...ORM_SLENFBOT.BR

 

I’m not an expert, but if these files found on the libraries are not virus, they certainly seem like ones. Is there anything that can be done to solve this?

 

Best regards,

post-2836-1264264825.jpg

Share this post


Link to post
Share on other sites

Hi Pablo,

 

Yes, that Trend Micro report looks scary.

 

I'm no security expert, either, but I have some possible ideas (shown, below, in the order that I estimate their probability):

 

1) Most Likely. It could be that the Trend Micro Internet security software is being over-protective and is falsely identifying something in one of the packages as a virus. I see that

 

2) Next Likely. There could be an infection on the computer where VIPM is installed and it only seems that VIPM is the problem.

 

3) Next Likely. The VIPM exe you are using is somehow infected with a virus exe stub (alteration of it's binary, so that a virus runs at startup), or something like that.

 

4) Least Likely. The packages that you downloaded from a Source Forge mirror site using VIPM are somehow infected.

 

I see that you've emailed JKI customer support. I'll follow up with you by email and then post a status update, here, once we figure out what's going on.

 

Thanks,

 

-Jim

Share this post


Link to post
Share on other sites

I also want to add that VIPM validates the MD5 checksum of every package file that is downloaded from the VI Package Network. So, VIPM never install a package if it's not the exact same package that is initially released (for example, if a file on a Source Forge mirror gets infected/corrupted/substituted).

Share this post


Link to post
Share on other sites

Thanks Jim, I'm glad you got my concern.

 

I believe I have to add more info, to help debug this:

 

1. As I said on the following post, I am able to open your webpage within my IT policies, and also to download the VIPM. The problem I get is with the update & download process of the libraries:

 

http://forums.jkisoft.com/index.php?showto...entry3054

 

2. After the VIPM setup, when I try to download the library packages, I always get a clean list, and the message "There was an error checking the network for new packages. Please check your network connection or settings and try again"

 

3. Though Trend Micro blocked me from getting the libraries, I also tried this from a machine running Symantec instead. Same result (blockage). I have not tried to check if Symantec, connected directly to the web (bypassing our network) identifies the files as viruses, but I believe it will (I'll try this later).

 

4. I think my company's firewall is most likely identifying these files as viruses... Probably all of the above are being over-protective (I've escalated this issue to our IT headquarters to check this).

 

5. The locations where these supposed-to-be viruses were located are the following:

C:\Documents and Settings\flex.user\Local Settings\Temporary Internet Files\Content.IE5\6RIUMLJG\2x33[1].ZIP Trend Micro quarantined (not found now)

C:\Documents and Settings\flex.user\Local Settings\Temporary Internet Files\Content.IE5\ZRKSE9OG\2x33[1].zip Trend Micro said "Unable to quarantine"

C:\WINDOWS\system32\drivers\vdrorjbyu.sys Trend Micro quarantined (not found now)

 

I hope this really helps. Thanks again.

Share this post


Link to post
Share on other sites

Is this happening only on that one machine or on others as well?

 

I've used Trend Micro antivirus and Symantec in the past and have never had this problem. Currently I'm using AVG anti-virus and I currently have no problems.

 

I'm wondering if those infected files have been there from before and only now you are noticing them. I don't see the link between those infected files and VIPM. The first two in fact seem to be related to Internet Explorer web page access than anything else.

 

However, it is true that you must allow VIPM to access the internet. If these anti-virus programs also have a firewall then you must add exceptions for VIPM. When VIPM first installed, and ran, did you get a warning that VIPM wants to access the internet? Did you add an exception? If not, then VIPM will not access the internet. I think those infected files and VIPM internet access are two separate issues that are manifesting at the same time.

 

I suggest you clean your computer with Trend Micro (to remove the infected files) and then add an exception for VIPM in your antivirus program firewall. Then try again on a non-IT-blocked connection.

 

My suspicion is IT is blocking VIPM from accessing the internet since it's not an authorized application. Not because it's downloading viruses.

Share this post


Link to post
Share on other sites
Thanks Jim, I'm glad you got my concern.

 

I believe I have to add more info, to help debug this:

 

1. As I said on the following post, I am able to open your webpage within my IT policies, and also to download the VIPM. The problem I get is with the update & download process of the libraries:

 

http://forums.jkisoft.com/index.php?showto...entry3054

 

2. After the VIPM setup, when I try to download the library packages, I always get a clean list, and the message "There was an error checking the network for new packages. Please check your network connection or settings and try again"

 

3. Though Trend Micro blocked me from getting the libraries, I also tried this from a machine running Symantec instead. Same result (blockage). I have not tried to check if Symantec, connected directly to the web (bypassing our network) identifies the files as viruses, but I believe it will (I'll try this later).

 

4. I think my company's firewall is most likely identifying these files as viruses... Probably all of the above are being over-protective (I've escalated this issue to our IT headquarters to check this).

 

5. The locations where these supposed-to-be viruses were located are the following:

C:\Documents and Settings\flex.user\Local Settings\Temporary Internet Files\Content.IE5\6RIUMLJG\2x33[1].ZIP Trend Micro quarantined (not found now)

C:\Documents and Settings\flex.user\Local Settings\Temporary Internet Files\Content.IE5\ZRKSE9OG\2x33[1].zip Trend Micro said "Unable to quarantine"

C:\WINDOWS\system32\drivers\vdrorjbyu.sys Trend Micro quarantined (not found now)

 

I hope this really helps. Thanks again.

 

Hi Pablo,

 

I examined the 2x33[1].zip file you sent and it does not appear to be a valid ZIP archive. Plus, this appears to be something that was downloaded by an user in Internet Explorer 5. I don't think it has anything to do with VIPM. I think Michael is right, that this is probably a file that already existed on the computer before VIPM performed any action. VIPM does not interact with IE in any way.

 

Thanks,

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.