CA antivirus deletes Windows 2003 file

Some Windows 2003 users have been experiencing problems with the operating system after CA antivirus software wrongly detected part of the operating system as malicious software last week.

At the heart of the problem is part of Windows' built-in security, a file called Lsass.exe. This was wrongly detected as a virus by CA's eTrust software and was deleted, causing some servers to crash and fail to reboot.

CA, formerly known as Computer Associates, said that it quickly spotted and remedied the problem on Friday and also advised affected users to find out how to fix it.

The cause of the confusion seems to be Lsass.exe being mistaken for the Trojan Win32/Lassrv.B.

Lassrv.B was discovered in the wild on Aug. 24 and was rated as a very low threat. The problem for Windows 2003 and eTrust users occurred in a subsequent signature update from CA on Friday.

Will Sturgeon of Silicon.com reported from London.

[Mr. Network]

Whoops!

Guess someone screwed up, or there is an insider that doesn't like M$

[Amazingant]

Haha

I'd guess it's the second option.

:-)

[wbenton]

Were they really wrong? (* GRIN *)

[http://lsass.exe|http://lsass.exe] is a system process of the Microsoft Windows security mechanisms. It specifically deals with local security and login policies. This program is important for the stable and secure running of your computer and should not be terminated.

But also note that a certain [http://lsass.exe|http://lsass.exe] is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.

And also note that one [http://lsass.exe|http://lsass.exe] is also registered as a downloader. This process usually comes bundled with a virus or spyware and its main role is to do nothing other than download other viruses/spyware to your computer. This process is a security risk and should be removed from your system.

If Microsoft only allowed authenticated processes/programs to be run, we would have never had any of the past lsass.exe exploits and thus this false positive as well would never have happened.

Walt

[Mr. Network]

Explain

I don't follow your solution. You say that M$ should only allow authenticated processes to run. What defines an authenticated process? How does a process become authenticated? What would stop a would be virus-writer from re-designing this to be ran as an authenticated process?

The reason they chose to use [http://lsass.exe|http://lsass.exe] for thier trojans and downloaders is because it would blend in with the running processes. I don't believe this was preventable, and I'm not sure your solution is the right answer as it would only result in a re-design of the current problem.

An O/S is a living program that runs other programs, I don't forsee that changing in my lifetime. As long as someone has the ability to run architected code on any O/S, they will find a way to do so.

Nice try though bud! ;-)

~Mr. Network

[Shifty200]

Let the fun begin!

I just finished working on a computer running Windows XP Pro and CA anti-virus. It would not due to problem with lsass.exe file. Ran a repair from the Windows XP Pro CD and cured the error.

[Seaspray0]

Missing file can be replaced

Thank you to Shifty200 for how to repair your operating system. You can use the CD to boot into the recovery console where you can unarchive the original file from the CD back to your hard drive. Although, if you have another working XP machine, I would rather take it from there as it is probabaly a more updated version of the file. Although not required, I am partial to installing the recovery console as a bootable option. It is a little more convienent than having to find the CD.

[starmonkey1]

Are authentication prompts enough?

Actually it's been a long time since Windows would let you run or install a program from the web without getting at least one prompt telling you that the operation you're about to do is potentially dangerous and could harm your computer. Many people just click Yes without looking anyway.

Vista will really lock down on this kind of stuff in an even more extreme way than Mac OS X and yet at the end there are still prompts, and security experts complain that people will get desensitized to the prompts and approve them without thinking about it.

There's no way to truly stop a trojan given a sufficiently boneheaded user that has access to admin credentials (and most home users do). I don't see why this hasn't happened on Mac OS X yet, other than the fact that the median Mac user is much more savvy than the median PC user.

[hhs2112]

Facts

starmonkey1 wrote "I don't see why this hasn't happened on Mac OS X yet, other than the fact that the median Mac user is much more savvy than the median PC user."

This is "a fact"??? You're an idiot.

[heystoopid]

OOPS!

Oops, a big boo boo ! that one, but as a majority of the real savvy users will never make these simple mistakes and errors!

But, it is not the first and won't be the last, false positive from A-T software!

But then again, there is no such a thing as a perfect Operating System either, all have both positives and negatives, and windows vista due to a lot of additional bloatware, will never run on the current run of the mill machines as used by the ordinary user or office worker(best is cheap crap), unless they spend up big on upgrades to next gen cpu's and motherboards etc!

Choices, as always, is the end user's perogative!