false alarm on srvany.exe

[Bob V]

Srvany.exe was identified as winlog trojan although it's
included in w2k resource kit. It has never been accessed
or modified.

If all Microsoft files that could be used maliciously were
removed, I suspect Windows functionality would be greatly
impaired.<g>

 

[plun]

Bob V submitted this idea :

Srvany.exe was identified as winlog trojan although it's
included in w2k resource kit. It has never been accessed
or modified.

If all Microsoft files that could be used maliciously were
removed, I suspect Windows functionality would be greatly
impaired.<g>

Hi

Send a false/positive to MS about this:

http://www.microsoft.com/athome/security/spyware/software/isv/fpform.aspx

 

[Guest]

-----Original Message-----
Bob V submitted this idea :

Hi

Send a false/positive to MS about this:

http://www.microsoft.com/athome/security/spyware/software/ isv/fpform.aspx

There I find this:
"If you are the vendor of a product that you believe has
been incorrectly classified..." so I suspect that isn't
the appropriate channel. The vendor, in this case, is
Microsoft.

But thank you anyhow. <g>

Bob V

 

[plun]

(e-mail address removed) expressed precisely :

There I find this:
"If you are the vendor of a product that you believe has
been incorrectly classified..." so I suspect that isn't
the appropriate channel. The vendor, in this case, is
Microsoft.

But thank you anyhow. <g>

Well, that form is also for MS false/positives............

And vendor IS Microsoft in this case.

Or you can send a suspected spyware report, menu tools but
as I understand it you have checked this file and are sure
that it is a original w2k file ?

 

[Guest]

-----Original Message-----
Or you can send a suspected spyware report, menu tools but
as I understand it you have checked this file and are sure
that it is a original w2k file ?

It isn't a signed file, but last modified 12/21/1999 8:59
AM, which matches other files in the resource kit; size is
16k. It isn't running as a system service:
http://support.microsoft.com/kb/q137890/

I scaned it with Norton AV and it's clean, but I wouldn't
expect it to be modified by a trojan, just *used* by a
trojan.

The info from antispyware was that it is frequently use
by trojans. I have no idea why it was identified as winlog
trojan.

Bob V

 

[Guest]

-----Original Message-----
Well, that form is also for MS

false/positives............

And vendor IS Microsoft in this case.

Or you can send a suspected spyware report, menu tools but
as I understand it you have checked this file and are sure
that it is a original w2k file ?

Here is the report:

Winlog Trojan more information...
Details: SRVANY.EXE is a Windows file included in the
Windows 2003 Resource Kit. This file is also commonly used
by a number of known Trojans and could be currently used
in a malicious manner.
Status: Ignored
High threat - High-risk items have a large potential for
harm, such as loss of computer control, and should be
removed unless knowingly installed.

Infected files detected
e:\program files\resource pro kit\srvany.exe


Detected Spyware Cookies
No spyware cookies were found during this scan.

 

[plun]

(e-mail address removed) expressed precisely :

Here is the report:

Winlog Trojan more information...
Details: SRVANY.EXE is a Windows file included in the
Windows 2003 Resource Kit. This file is also commonly used
by a number of known Trojans and could be currently used
in a malicious manner.
Status: Ignored
High threat - High-risk items have a large potential for
harm, such as loss of computer control, and should be
removed unless knowingly installed.

Infected files detected
e:\program files\resource pro kit\srvany.exe


Detected Spyware Cookies
No spyware cookies were found during this scan.

Well, send a false/positive to MS about this.

Maybe "guru" Bill have something more about this ?

 

[Guest]

Well, send a false/positive to MS about this.

Maybe "guru" Bill have something more about this ?

http://www.microsoft.com/library/errorpages/smarterror.aspx
?
aspxerrorpath=/athome/security/spyware/software/isv/fpform.
aspx

"We're sorry, but we were unable to service your request.
You may wish to choose from the links below for
information about Microsoft products and services."

Well, hey...I tryed.

Bob V

 

[Steve Dodson [MSFT]]

I believe the default action is to ignore. We see srvany a lot in PSSSEC
where most home users will not be running applications as a service. If we
are set to ignore this, and only flag it as an FYI, I think we are doing the
right thing.

--
-steve

Steve Dodson [MSFT]
MCSE, CISSP
PSS Security

--

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
originated.

 

[Bill Sanderson]

Maybe "guru" Bill have something more about this ?

I'm going to start lowercasing my name if you're going to assign me "guru"
status.

Fortunately, by the time I got to reading this thread, Steve Dodson has
already given me the right cue, so I don't have to put my foot in my mouth.

I think perhaps the designation of "winlog trojan" is confusing, but the
rest of the description and the default action seem appropriate to me.

As I understand it, the purpose of flagging this kind of code is simply to
alert the user to the presence of the tool on their workstation--so that
they know it is there, and that there could be risk associated with it. If
they installed it 7 months ago for a short project and haven't used it
since, maybe they'll blow it away, and have done their security good deed
for the day.

I agree with Steve--looks like the right description and right action
suggested. I do find the "winlog trojan" a bit of a false note, but maybe
this can get tuned as folks complain.