Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
Editor's Blog and Industry Comments

When real viruses aren't enough

27 December, 2007
Kaspersky Labs recently released a virus signature which identifies windows explorer as a worm with users deleting the file in a panic and some being unable to recover without the original install CDs
Some of the anti-virus software retailers use Kaspersky Labs virus engine in their products including Check Point's ZoneAlarm and users of these products may have seen that their computers have been infected by a worm called Windows Explorer. The identity is worm.win32.Huhk.c and, according to our lab computer, ZoneAlarm fails to clean it up and displays a message giving the user options what to do with it. The options include renaming or deleting the file. Some users have been reported to have chosen the second option leaving them without Explorer which they only discovered on reboot leading them to a further waste of precious time having to restore explorer by either rolling the operating system back or using the restore disks.

If you click the "more info" link on the ZoneAlarm alert panel, there is no more information, just a message on the ZoneAlarm website saying there are no matching records. Even one week after the false alarm and after Kasperky updated the signature, there are still no matching records on the ZoneAlarm site.

I tried contacting Check Point but haven't received any comment from their support people because of the holiday season. The forums have lots of queries concerning this false alarm, most of which are satisfactorily answered by enthusiastic amateurs but crucially nothing from Check Point or Kaspersky. Even on Check Point's own forum, there is no comment from their own people, just a post from someone who comes across as an expert and recommends downloading some trialware to do a clean-up.

I'm still waiting for a comment from Check Point and I'll publish it when it appears, meanwhile the list of questions is getting longer. Who is moderating their forum which allows posts pointing to potentially dangerous download sites? Was Kaspersky's modified signature which corrects this false alarm rolled out in ZoneAlarm or will other users be asked to delete Explorer? Why is there still no information on the ZoneAlarm web site?

Computer security is a very hot topic and users worldwide have increased sensitivity to their vulnerability so when a false alarm crops up, it can't just be written off as a glitch, it's a crisis and should be managed as such. With potentially thousands of users wasting time protecting themselves from an enemy that doesn't exist, the least that Check Point can do is provide them with information, something that is sorely lacking.
Bookmark and Share