10-27-2008 02:51 AM
My AV software (CA etrust) recently discovered the FakeAV.LH virus in the file c:\program files\veritas\continuous protection server\services\rxmsg.dll on our CPS 10d server. I ran a scan and it was also detected in C:\Program Files\VERITAS\Continuous Protection Server\Install\data1.cab. I then inserted the original CPS 10d installation cd and discovered that the infected file rxmsg.dll was included in the original data1.cab!!
When I pushed out the CPS agent to my servers, the infected data1.cab was used which means they are all infected too. Has anyone else detected any variants of "fakeAV" in your CPS installation (rxmsg.dll) or is this some kind of false positive?
To clean it, I stopped the CPS services and scanned/cleaned the PF\veritas folder.
Thanks for any input. Dan
10-27-2008 03:25 AM
I'm fairly sure this is a false positive because the original installation file on the cdrom was also detected as a virus. In any case, my AV software actually removed the rxmsg.dll file which rendered my CPS installation unusable. I excluded the pf\veritas\cps\services folder from the realtime scan and reextracted the rxmsg.dll back to this folder so now it's working again.