And I guess that is what has me thrown--there ARE what appear to be ESE related files in the c:\windows\security folder on that server and on other WS03 servers, but I can't imagine that MS would have left it out of their "what to exclude" for AV KB that they've been updating for years.
Specifically, the contents of the folder look like this, with the tmp.edb (if it existed) having already been removed by FEP. [cid:[email protected]] I don't think it went to a quarantine location anywhere that I can recover from to do a submission as it was removed, but I'll look around. If it matters, the item it claims to have detected was "TrojanDownloader:HTML/Renos", which doesn't appear to be something that downloads an executable. Thanks, Bonnie -----Original Message----- From: Michael B. Smith [mailto:[email protected]] Sent: Wednesday, June 29, 2011 9:43 AM To: NT System Admin Issues Subject: RE: Is this a valid file? Just to be a pedant: there is extensive documentation on the format of ESE files and their log files. Every (current) version of Windows should ship with esentutl.exe which allows you to analyze ESE files, log files, and the related checkpoint files. Now, that being said, tmp.edb is the NORMAL name for a the file that the ESE subsystem is writing and preparing to be the NEXT ESE log. It should be created in the same folder as any other *.log files for the ESE database. It may not be a valid ESE file because the file is created as a sparse file (which means it has garbage), then block-by-block is overwritten with a specific bit-pattern. When it is turned into the "next" ESE log file, the first thing that happens is a valid ESE header gets written into the first two blocks of the log. If there are no other *.log files in a given directory - then it's a good likelihood that tmp.edb isn't right in that location. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com -----Original Message----- From: Ben Scott [mailto:[email protected]] Sent: Wednesday, June 29, 2011 12:16 PM To: NT System Admin Issues Subject: Re: Is this a valid file? On Wed, Jun 29, 2011 at 11:57 AM, Miller Bonnie L. <[email protected]> wrote: > Trying to find out if c:\windows\security\tmp.edb "tmp.edb" is a standard name used by the Extensible Storage Engine (ESE). ESE *is* used by the security configuration template system, and it *does* have some ESE-related files living in "C:\windows\security\", so that's a plausible name. The problem is, malware writers know this too, so they often create files with plausible or even completely legitimate names (displacing legitimate files). A very cursory eyeball scan of Google results does suggest that is a possibility. Or it could be a false positive that randomly matched some signature. The only way to know for sure is to examine the file contents. A very quick check of TMP.EDB files on my systems doesn't seem to find any obvious header or "magic number". I don't think Microsoft documents the format of this file. However, you might look at *your* TMP.EDB and see if it's anything obvious -- especially if it has a Windows executable header. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<inline: image001.png>>
