We got hit with this too. We have a mix of 2.3 and 2.4 at the moment. I got notifications like these for several of my servers last night. Is anyone else having this problem?
Can anyone verify that it's a false positive? OSSEC HIDS Notification. 2010 Jul 13 05:11:21 Received From: (Server1) x.y.x.w ->WinEvtLog Rule: 40113 fired (level 12) -> "Multiple viruses detected - Possible outbreak." Portion of the log(s): WinEvtLog: Application: WARNING(258): McLogEvent: SYSTEM: NT AUTHORITY: Server1: The file c:\Program Files\ossec-agent\service-stop.exe contains Generic Downloader.x!eaf Trojan. The file was successfully deleted. WinEvtLog: Application: WARNING(258): McLogEvent: SYSTEM: NT AUTHORITY: Server1: The file C:\PROGRAM FILES\OSSEC-AGENT\SERVICE-STOP.EXE contains Generic Downloader.x!eaf Trojan. The file was successfully deleted. WinEvtLog: Application: WARNING(258): McLogEvent: SYSTEM: NT AUTHORITY: Server1: The file C:\PROGRAM FILES\OSSEC-AGENT\SERVICE-STOP.EXE contains Generic Downloader.x!eaf Trojan. The file was successfully deleted. WinEvtLog: Application: WARNING(258): McLogEvent: SYSTEM: NT AUTHORITY: Server1: The file C:\PROGRAM FILES\OSSEC-AGENT\SERVICE-STOP.EXE contains Generic Downloader.x!eaf Trojan. The file was successfully deleted. WinEvtLog: Application: WARNING(258): McLogEvent: SYSTEM: NT AUTHORITY: Server2: The file c:\Program Files\ossec-agent\service-stop.exe contains Generic Downloader.x!eaf Trojan. The file was successfully deleted. WinEvtLog: Application: WARNING(258): McLogEvent: SYSTEM: NT AUTHORITY: Server2: The file c:\Program Files\ossec-agent\service-stop.exe contains Generic Downloader.x!eaf Trojan. The file was successfully deleted. WinEvtLog: Application: WARNING(258): McLogEvent: SYSTEM: NT AUTHORITY: Server2: The file c:\Program Files\ossec-agent\service-stop.exe contains Generic Downloader.x!eaf Trojan. The file was successfully deleted. On Tue, Jul 13, 2010 at 11:03 AM, Doug Burks <[email protected]> wrote: > I've determined that the servers that experienced this were running > OSSEC Agent version 2.3. According to VirusTotal, 6/42 AV vendors > alert on this file: > http://www.virustotal.com/analisis/ffd7b8326c2d57c236e4ac68e593c2b4a2246a149bf3bfec32d7e218858369d2-1279009310 > > For comparison, here's the VirusTotal report for service-stop.exe from > OSSEC Agent version 2.4.1 (0/42 AV vendors alert): > http://www.virustotal.com/analisis/173034447d2ce6cba0969a82afeac24050b835879bfa0c51bb5243cc184490d2-1279019047 > > Doug Burks > > On Jul 13, 10:20 am, Doug Burks <[email protected]> wrote: >> This morning, McAfee Antivirus began deleting service-stop.exe on our >> servers: >> >> The file C:\Program Files\ossec-agent\service-stop.exe contains >> Generic Downloader.x!eaf Trojan. The file was successfully deleted. >> >> Is anybody else seeing this?
