Version: 2008
  • On TV.com: TOP 10 Shows CANCELED Too Soon

September 5, 2006 7:21 AM PDT

CA antivirus deletes Windows 2003 file

  • 13 comments
Related Stories

CA looks to tech squads to sell security wares

August 30, 2006

John Swainson: CA's Mr. Fix-It

December 5, 2005
Some Windows 2003 users have been experiencing problems with the operating system after CA antivirus software wrongly detected part of the operating system as malicious software last week.

At the heart of the problem is part of Windows' built-in security, a file called Lsass.exe. This was wrongly detected as a virus by CA's eTrust software and was deleted, causing some servers to crash and fail to reboot.

CA, formerly known as Computer Associates, said that it quickly spotted and remedied the problem on Friday and also advised affected users to find out how to fix it.

The cause of the confusion seems to be Lsass.exe being mistaken for the Trojan Win32/Lassrv.B.

Lassrv.B was discovered in the wild on Aug. 24 and was rated as a very low threat. The problem for Windows 2003 and eTrust users occurred in a subsequent signature update from CA on Friday.

Will Sturgeon of Silicon.com reported from London.

See more CNET content tagged:
Computer Associates International Inc., Microsoft Windows 2003, CA eTrust, antivirus, virus

Add a Comment (Log in or register) (13 Comments)
  • prev
  • 1
  • next
Whoops!
by Mr. Network September 5, 2006 7:42 AM PDT
Guess someone screwed up, or there is an insider that doesn't like M$
Reply to this comment
Haha
by Amazingant September 5, 2006 7:45 AM PDT
I'd guess it's the second option.

:-)
Were they really wrong? (* GRIN *)
by wbenton September 5, 2006 8:43 AM PDT
[http://lsass.exe|http://lsass.exe] is a system process of the Microsoft Windows security mechanisms. It specifically deals with local security and login policies. This program is important for the stable and secure running of your computer and should not be terminated.

But also note that a certain [http://lsass.exe|http://lsass.exe] is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.

And also note that one [http://lsass.exe|http://lsass.exe] is also registered as a downloader. This process usually comes bundled with a virus or spyware and its main role is to do nothing other than download other viruses/spyware to your computer. This process is a security risk and should be removed from your system.

If Microsoft only allowed authenticated processes/programs to be run, we would have never had any of the past lsass.exe exploits and thus this false positive as well would never have happened.

Walt
Reply to this comment
Explain
by Mr. Network September 5, 2006 11:15 AM PDT
I don't follow your solution. You say that M$ should only allow authenticated processes to run. What defines an authenticated process? How does a process become authenticated? What would stop a would be virus-writer from re-designing this to be ran as an authenticated process?

The reason they chose to use [http://lsass.exe|http://lsass.exe] for thier trojans and downloaders is because it would blend in with the running processes. I don't believe this was preventable, and I'm not sure your solution is the right answer as it would only result in a re-design of the current problem.

An O/S is a living program that runs other programs, I don't forsee that changing in my lifetime. As long as someone has the ability to run architected code on any O/S, they will find a way to do so.

Nice try though bud! ;-)

~Mr. Network
View reply
Let the fun begin!
by Shifty200 September 5, 2006 3:02 PM PDT
I just finished working on a computer running Windows XP Pro and CA anti-virus. It would not due to problem with lsass.exe file. Ran a repair from the Windows XP Pro CD and cured the error.
Reply to this comment
Missing file can be replaced
by Seaspray0 September 6, 2006 7:15 AM PDT
Thank you to Shifty200 for how to repair your operating system. You can use the CD to boot into the recovery console where you can unarchive the original file from the CD back to your hard drive. Although, if you have another working XP machine, I would rather take it from there as it is probabaly a more updated version of the file. Although not required, I am partial to installing the recovery console as a bootable option. It is a little more convienent than having to find the CD.
Are authentication prompts enough?
by starmonkey1 September 5, 2006 3:07 PM PDT
Actually it's been a long time since Windows would let you run or install a program from the web without getting at least one prompt telling you that the operation you're about to do is potentially dangerous and could harm your computer. Many people just click Yes without looking anyway.

Vista will really lock down on this kind of stuff in an even more extreme way than Mac OS X and yet at the end there are still prompts, and security experts complain that people will get desensitized to the prompts and approve them without thinking about it.

There's no way to truly stop a trojan given a sufficiently boneheaded user that has access to admin credentials (and most home users do). I don't see why this hasn't happened on Mac OS X yet, other than the fact that the median Mac user is much more savvy than the median PC user.
Reply to this comment
Facts
by hhs2112 September 6, 2006 2:54 PM PDT
starmonkey1 wrote "I don't see why this hasn't happened on Mac OS X yet, other than the fact that the median Mac user is much more savvy than the median PC user."

This is "a fact"??? You're an idiot.
OOPS!
by heystoopid September 5, 2006 8:35 PM PDT
Oops, a big boo boo ! that one, but as a majority of the real savvy users will never make these simple mistakes and errors!

But, it is not the first and won't be the last, false positive from A-T software!

But then again, there is no such a thing as a perfect Operating System either, all have both positives and negatives, and windows vista due to a lot of additional bloatware, will never run on the current run of the mill machines as used by the ordinary user or office worker(best is cheap crap), unless they spend up big on upgrades to next gen cpu's and motherboards etc!

Choices, as always, is the end user's perogative!
Reply to this comment
(13 Comments)
  • prev
  • 1
  • next
advertisement

Latest tech news headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Markets

Market news, charts, SEC filings, and more

Related quotes

Computer Associates International Inc. (-0.68%) -0.15 21.78
Microsoft (0.69%) 0.20 29.32
Dow Jones Industrials (-0.56%) -57.89 10,233.37
S&P 500 (-0.65%) -7.17 1,091.34
NASDAQ (-0.36%) -7.84 2,159.06
CNET TECH (-0.16%) -2.58 1,577.21
  Symbol Lookup
advertisement

Inside CNET News

Scroll Left Scroll Right