CA Internet Security Suite Win32/ASuspect False Positive

Win32/ASuspect is the latest message users of CA Internet Security Suite are seeing beginning last night February 22nd 2010.

CA is reporting wuweb.dll as a Win32/ASuspect Trojan and automatically placing it in quarantine. This file is part of Windows Update process which is now failing to execute.

I support several customers using CA Internet Security Suite and all have reported seeing this error message. I've done some checking on the web and CA Support forums have lit up like a christmas tree. However because I'm a cautious man I submitted a copy of quarantined wuweb.dll to virustotal.com and as expected results came back clean.

Looks like we have another case of CA False Positive. I'm sure CA will fix this quickly by pushing out new signatures however what worries me is the frequency because CA had a case of false positive last year in 2009 and secondly I'm not seeing much about this on their website. As a good corporate citizen I think CA should be informing their customers about such problems quickly. Consultants such as myself get these frantic phone calls from clients; then we spend our valuable time investigating such matters only to find its a false positive. It would save me much headache if CA could post a message to their Forum or website.

Come on CA I expect better from you.

CA Internet Security Suite 2009 Trashes Windows System Files

CA Internet Security Suite 2009 trashed Windows XP SP3 System files following a recent signature update. Signatures version 6604 seems to be falsely identifying several Windows system files and placing them in quarantine. Many home, home office and small business users have reported the following files were affected; (This list is not comprehensive, these are the most commonly reported quarantined files)

• c:\windows\system32\net.exe
• c:\windows\system32\netsh.exe
• c:\windows\system32\reg.exe

Community Forums lit up like a Christmas tree however CA was slow to respond or acknowledge there was a false positive problem. Late Thursday afternoon a notice was posted on CA's Virus Signature Update site indicating there was a problem, urging users to follow these steps in resolving this situation.

Community Forum users stepped up to the plate indicating this situation to be a false positive problem and suggesting short term fixes one of which was to disable Real Time Anti Virus Scan which seemed to be the culprit in this fiasco. Short term or not disabling any Anti Virus is a recipe for disaster. However in this case because CA was dragging its heels this fix was the best solution at the time. CA should take a page from it user Community and step up to the plate quicker with solid answers when users ask questions. Many users were frustrated and vented their frustration and disappointment in CA's handling of this situation. Amongst the tidal wave of forum posts users were trying all sorts of solutions thinking this was a real virus threat. Some went to the extreme of restoring entire systems to previous image backups only to be back in the same spot after updating CA signature file version 6604. Others not so quick on the trigger took time to investigate in detail before attempting such drastic measures. But in any case scenarios like these waste everyone's time, effort and in some cases data as many reported blue screens or problems booting after CA Anti-Virus happily quarantined Windows System files.

Situations like this prove several things;

1. Disaster strikes when you don't have a good backup.

2. Quality Assurance Cycles are way too short or non existent

3. Windows users have been conditioned to eradicate anything when they see the words VIRUS and INFECTED. not giving the process much scrutiny before proceeding to restore from backup.

#1 is easy to fix... BACKUP regularly. Disk is cheap there is no excuse.

#2 is harder to control by users but hopefully CA has learned something from this situation. If not someone most certainly got fired today.

#3 False Positives do happen people; they've been with us since the very first Anti-Virus snake oil sales man conned you into buying his software many years ago. Unfortunately this is today's reality in the Windows universe. However please scrutinize and be informed before doing anything drastic.

For CA today was a BAD day, for us mortals Today was just another day in the Windows-verse hopefully none of you have lost much data but cheer up tomorrow is another day.