From: Anna Clark on
Specifically, what is the name of the file that Trend says contains the
trojan?

I reported a IE7 look alike as being fake and a trojan/virus laden file
months ago.

"This week we have discovered a virus lurking in a fake installation point
for IE7. User said he wanted to install IE7, googled for it, got "some
hits", downloaded and executed what he thought was IE7 setup.

The file turns out to be called IE7-Setup.exe, and our tests show it to be a
virus laden file, with, in our examples, psw.generic.qxk, psw.goldun.dz, and
psw.generic2.qus viruses as the payload. Trend says that most of the psw.X
virusi are keyloggers or password reporting Trojans."

Regards:

Anna Clark


"Frank McCallister SBS MVP" <anonymous> wrote in message
news:4B746268-702A-4A2D-9515-BFB7F22316C1(a)microsoft.com...
> Hi Gary
>
> What pattern file? Not seeing this on any of my servers. Not seeing Devcon
> issue Paul saw either.
>
> --
> Frank McCallister SBS MVP
> MCP Microsoft Small Business Specialist
> COMPUMAC
>
> "Gary Karasik" <gkarasik(a)fea.net> wrote in message
> news:u8Le9srXHHA.3984(a)TK2MSFTNGP02.phx.gbl...
> > Hi,
> >
> > As of 3:00 today, Trend CSM 3.5 is identying the IE7 executable as a
> > trojan (Troj_gen). I ran into this while trying to do some IE6-IE7
> > updates. While "IE7 *IS* a trojan" jokes are always appropriate, it will
> > be difficult to do these upgrades until Trend fixes this.
> >
> > --
> >
> > GaryK
> >
> >
> >


From: PhilScott-SBSAdmin on
Just to let you know.... that link you have posted
(http://support.microsoft.com/kb/822158/en-us) does not say to exclude the
c:\windows\softwaredistribution\download folder which is where the file is
located on my machines that has come up as TROJ generic.

"Les Connor [SBS MVP]" wrote:

> http://support.microsoft.com/kb/822158/en-us
>
> Note the references to not scan the Windows Update or Automatic Update
> related files and stores.
>
> Not sure if that will help in your case, but I have these exclusions and
> don't see your issue.
>
> --
> Les Connor [SBS MVP]
>
>
> "Gary Karasik" <gkarasik(a)fea.net> wrote in message
> news:u8Le9srXHHA.3984(a)TK2MSFTNGP02.phx.gbl...
> > Hi,
> >
> > As of 3:00 today, Trend CSM 3.5 is identying the IE7 executable as a
> > trojan (Troj_gen). I ran into this while trying to do some IE6-IE7
> > updates. While "IE7 *IS* a trojan" jokes are always appropriate, it will
> > be difficult to do these upgrades until Trend fixes this.
> >
> > --
> >
> > GaryK
> >
> >
> >
>
From: Gary Karasik on
4.311.50

--

GaryK


"Frank McCallister SBS MVP" <anonymous> wrote in message
news:4B746268-702A-4A2D-9515-BFB7F22316C1(a)microsoft.com...
> Hi Gary
>
> What pattern file? Not seeing this on any of my servers. Not seeing Devcon
> issue Paul saw either.
>
> --
> Frank McCallister SBS MVP
> MCP Microsoft Small Business Specialist
> COMPUMAC
>
> "Gary Karasik" <gkarasik(a)fea.net> wrote in message
> news:u8Le9srXHHA.3984(a)TK2MSFTNGP02.phx.gbl...
>> Hi,
>>
>> As of 3:00 today, Trend CSM 3.5 is identying the IE7 executable as a
>> trojan (Troj_gen). I ran into this while trying to do some IE6-IE7
>> updates. While "IE7 *IS* a trojan" jokes are always appropriate, it will
>> be difficult to do these upgrades until Trend fixes this.
>>
>> --
>>
>> GaryK
>>
>>
>>


From: Gary Karasik on
http://www.microsoft.com/windows/products/winfamily/ie/default.mspx is the
URL.

"IE7-WindowsXP-x86-enu.exe" is the filename.

It also deletes the file from fthe Microsoft Update download file
"c:\windows\softwaredistribution\download folder" when you try to update
that way.

You made me nervous, so I just tried to download the file directly from the
MS download center to my home machine, and PC-Cillin, using the same pattern
file, is refusing to accept it.

--

GaryK


"Anna Clark" <anna.clark(remove this)@verizon.net> wrote in message
news:%2301YMrsXHHA.4308(a)TK2MSFTNGP05.phx.gbl...
> Specifically, what is the name of the file that Trend says contains the
> trojan?
>
> I reported a IE7 look alike as being fake and a trojan/virus laden file
> months ago.
>
> "This week we have discovered a virus lurking in a fake installation point
> for IE7. User said he wanted to install IE7, googled for it, got "some
> hits", downloaded and executed what he thought was IE7 setup.
>
> The file turns out to be called IE7-Setup.exe, and our tests show it to be
> a
> virus laden file, with, in our examples, psw.generic.qxk, psw.goldun.dz,
> and
> psw.generic2.qus viruses as the payload. Trend says that most of the
> psw.X
> virusi are keyloggers or password reporting Trojans."
>
> Regards:
>
> Anna Clark
>
>
> "Frank McCallister SBS MVP" <anonymous> wrote in message
> news:4B746268-702A-4A2D-9515-BFB7F22316C1(a)microsoft.com...
>> Hi Gary
>>
>> What pattern file? Not seeing this on any of my servers. Not seeing
>> Devcon
>> issue Paul saw either.
>>
>> --
>> Frank McCallister SBS MVP
>> MCP Microsoft Small Business Specialist
>> COMPUMAC
>>
>> "Gary Karasik" <gkarasik(a)fea.net> wrote in message
>> news:u8Le9srXHHA.3984(a)TK2MSFTNGP02.phx.gbl...
>> > Hi,
>> >
>> > As of 3:00 today, Trend CSM 3.5 is identying the IE7 executable as a
>> > trojan (Troj_gen). I ran into this while trying to do some IE6-IE7
>> > updates. While "IE7 *IS* a trojan" jokes are always appropriate, it
>> > will
>> > be difficult to do these upgrades until Trend fixes this.
>> >
>> > --
>> >
>> > GaryK
>> >
>> >
>> >
>
>


From: Paul Shapiro on
Those folders are excluded from scanning. The deleted file was a file I had
manually downloaded from Microsoft's web site and saved in a Downloads
folder. Similar occurrence during last night's backup. This time it was a
WSUS file download, but the WSUS folder is excluded. The blocked file was in
the temporary Volume Shadow Copy that ntbackup makes when it runs:
\Device\HarddiskVolumeShadowCopy153\WSUS\WsusConte nt\A0\ .

Does anyone know how to exclude the temporary shadow copies from scanning?
Paul Shapiro

"Les Connor [SBS MVP]" <les.connor(a)DEL.cfive.ca> wrote in message
news:BBFC0AF9-8B34-41DF-ACB3-DB0438A70E2F(a)microsoft.com...
> http://support.microsoft.com/kb/822158/en-us
>
> Note the references to not scan the Windows Update or Automatic Update
> related files and stores.
>
> Not sure if that will help in your case, but I have these exclusions and
> don't see your issue.
>
> --
> Les Connor [SBS MVP]
>
>
> "Gary Karasik" <gkarasik(a)fea.net> wrote in message
> news:u8Le9srXHHA.3984(a)TK2MSFTNGP02.phx.gbl...
>> Hi,
>>
>> As of 3:00 today, Trend CSM 3.5 is identying the IE7 executable as a
>> trojan (Troj_gen). I ran into this while trying to do some IE6-IE7
>> updates. While "IE7 *IS* a trojan" jokes are always appropriate, it will
>> be difficult to do these upgrades until Trend fixes this.