Absolutely Shocking! Rob
Robert Rutherford QuoStar Solutions Limited T: +44 (0) 8456 440 331 F: +44 (0) 8456 440 332 M: +44 (0) 7974 249 494 E: [EMAIL PROTECTED] W: www.quostar.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: 01 September 2006 17:46 To: [email protected] Subject: Re: [ActiveDir] OT: Servers rebooting, etrust antivirus CA eTrust Antivirus flagging lsass.e x e http://isc.sans.org/diary.php?n&storyid=1665 Unsubscribe: http://isc.sans.org/notify.php Yup Kevin Brunson wrote: > > Anyone else out there dealing with the Computer Associates eTrust > Antivirus signature thing this morning? > > Symptoms: "The system process "C:\Windows\System32\lsass.exe" > terminated unexpectedly with status code 0. The system will now shut > down and restart." > > After the reboot, it once again gives the same message, over and over. > > Resolution: Update to the latest eTrust Antivirus signatures. The > version ending in .3056 is known stable. > > Details: Apparently the signatures are detecting lsass.exe as a virus > and trying to rename or delete it. Windows File Protection kicks in > and says no. They then argue for a bit and neither wins so the server > gives up and reboots. > > Hopefully no one else has experienced this, but if you are running ca, > this should solve your problem. Almost all of my customers are running > eTrust Antivirus, so it has been a very long morning. > > Kevin > -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
