September 5, 2006 7:21 AM PDT

CA antivirus deletes Windows 2003 file

Related Stories

CA looks to tech squads to sell security wares

August 30, 2006

John Swainson: CA's Mr. Fix-It

December 5, 2005
Some Windows 2003 users have been experiencing problems with the operating system after CA antivirus software wrongly detected part of the operating system as malicious software last week.

At the heart of the problem is part of Windows' built-in security, a file called Lsass.exe. This was wrongly detected as a virus by CA's eTrust software and was deleted, causing some servers to crash and fail to reboot.

CA, formerly known as Computer Associates, said that it quickly spotted and remedied the problem on Friday and also advised affected users to find out how to fix it.

The cause of the confusion seems to be Lsass.exe being mistaken for the Trojan Win32/Lassrv.B.

Lassrv.B was discovered in the wild on Aug. 24 and was rated as a very low threat. The problem for Windows 2003 and eTrust users occurred in a subsequent signature update from CA on Friday.

Will Sturgeon of Silicon.com reported from London.

See more CNET content tagged:
Computer Associates International Inc., Microsoft Windows 2003, CA eTrust, antivirus, server

12 comments

Join the conversation!
Add your comment
Whoops!
Guess someone screwed up, or there is an insider that doesn't like M$
Posted by Mr. Network (92 comments )
Reply Link Flag
Haha
I'd guess it's the second option.

:-)
Posted by Amazingant (146 comments )
Link Flag
Were they really wrong? (* GRIN *)
[http://lsass.exe|http://lsass.exe] is a system process of the Microsoft Windows security mechanisms. It specifically deals with local security and login policies. This program is important for the stable and secure running of your computer and should not be terminated.

But also note that a certain [http://lsass.exe|http://lsass.exe] is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.

And also note that one [http://lsass.exe|http://lsass.exe] is also registered as a downloader. This process usually comes bundled with a virus or spyware and its main role is to do nothing other than download other viruses/spyware to your computer. This process is a security risk and should be removed from your system.

If Microsoft only allowed authenticated processes/programs to be run, we would have never had any of the past lsass.exe exploits and thus this false positive as well would never have happened.

Walt
Posted by wbenton (522 comments )
Reply Link Flag
Explain
I don't follow your solution. You say that M$ should only allow authenticated processes to run. What defines an authenticated process? How does a process become authenticated? What would stop a would be virus-writer from re-designing this to be ran as an authenticated process?

The reason they chose to use [http://lsass.exe|http://lsass.exe] for thier trojans and downloaders is because it would blend in with the running processes. I don't believe this was preventable, and I'm not sure your solution is the right answer as it would only result in a re-design of the current problem.

An O/S is a living program that runs other programs, I don't forsee that changing in my lifetime. As long as someone has the ability to run architected code on any O/S, they will find a way to do so.

Nice try though bud! ;-)

~Mr. Network
Posted by Mr. Network (92 comments )
Link Flag
Let the fun begin!
I just finished working on a computer running Windows XP Pro and CA anti-virus. It would not due to problem with lsass.exe file. Ran a repair from the Windows XP Pro CD and cured the error.
Posted by Shifty200 (1 comment )
Reply Link Flag
Missing file can be replaced
Thank you to Shifty200 for how to repair your operating system. You can use the CD to boot into the recovery console where you can unarchive the original file from the CD back to your hard drive. Although, if you have another working XP machine, I would rather take it from there as it is probabaly a more updated version of the file. Although not required, I am partial to installing the recovery console as a bootable option. It is a little more convienent than having to find the CD.
Posted by Seaspray0 (9714 comments )
Link Flag
Are authentication prompts enough?
Actually it's been a long time since Windows would let you run or install a program from the web without getting at least one prompt telling you that the operation you're about to do is potentially dangerous and could harm your computer. Many people just click Yes without looking anyway.

Vista will really lock down on this kind of stuff in an even more extreme way than Mac OS X and yet at the end there are still prompts, and security experts complain that people will get desensitized to the prompts and approve them without thinking about it.

There's no way to truly stop a trojan given a sufficiently boneheaded user that has access to admin credentials (and most home users do). I don't see why this hasn't happened on Mac OS X yet, other than the fact that the median Mac user is much more savvy than the median PC user.
Posted by starmonkey1 (5 comments )
Reply Link Flag
OOPS!
Oops, a big boo boo ! that one, but as a majority of the real savvy users will never make these simple mistakes and errors!

But, it is not the first and won't be the last, false positive from A-T software!

But then again, there is no such a thing as a perfect Operating System either, all have both positives and negatives, and windows vista due to a lot of additional bloatware, will never run on the current run of the mill machines as used by the ordinary user or office worker(best is cheap crap), unless they spend up big on upgrades to next gen cpu's and motherboards etc!

Choices, as always, is the end user's perogative!
Posted by heystoopid (691 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.