Hey everyone,
A while back I posted the message below about weird process that kept
changing its name. No one really knew what it was, but everyone I spoke
with said it was definitely some kind of malware. So here's the outcome of
that, just in case anyone else finds the same thing on their machines. (I
know one person already did)
The first thing I did when I found the executable was to make sure I have
the latest data file and then I ran a complete check on my machine. Scanner
came up with nothing. I ran this by out IT person and he said, "If virus
checker did not pick it up, then it can't be a virus. Go back to work" [or
something along these lines]. I swear, our IT guys remind me of the Dilbert
cartoons so much, it is not even funny. I went to my manager and he had the
same thing (different name) on his machine, so he went back to the IT people
and they opened a case with Trend Micro. We sent them the executable for
analysis and few days later what I got back from out IT people was that the
executable is actually part of the virus checker itself. He was very vague
about details (again, Dilbert), but from what I can guess, the virus checker
does this to protect itself so that viruses can't kill it by searching
process list for a given executable name.
I didn't find anything about this behavior on OfficeScan website, but I did
verify that machines that don't have OfficeScan installed also do not have
this file running. I write software and the first thing I do when I login
is open mail reader, visual studio, and task manager, so this must be some
new feature Trend Micro added this summer because otherwise I would have
noticed it before. Our machines are setup to receive auto updates of the
data files and I think of the engine itself.
It would be still nice to get an official word from Trend Micro on this with
a reasonable explaination, but for now, I guess what I've said will have to
suffice
-- Dennis
