MacLochlainns Weblog

Michael McLaughlin's Technical Blog

Site Admin

Zend CE has a Worm?

with 7 comments

After updating the AVGFree virus definitions, I was surprised to find that Zend CE (Community Edition) 4.0.6 had a reported worm in the JavaServer.exe file. There was greater surprise when Zend CE 5.3.9 (5.6.0-SP1) also had the same reported worm.

This is the message identifying the worm (click on it to see a full size image), and you can read about this particular worm on the Mcafee site or the AVG threat labs site:

If you check AVGFree’s page, the actual infection isn’t a stated variant, but it appears the heuristics are a bit aggressive.

File Name: C:\Program Files (x86)\Zend\ZendServer\bin\JavaServer.exe
Infection: Win32/DH.FF860061{00000000-00080000-00000000}

Unless you have the full version of AVGFree or another security program to try and fix the file, you can only quarantine the file. Quarantine or removal disables Zend CE from working. It begs the question: “How does Zend release a core file with a worm?” or “Is AVGFree reporting a false positive?”

Update: AVGFree was providing a false positive. In addition to the checks by Zeev at Zend, I created a new test instance with Norton 360 and it likewise found no virus/worm in Zend’s JavaServer.exe file. Hopefully the post will prevent others from spending more than a Google search to sort it out.

Since I use AVGFree on all my Windows 7 VM test instances, it seemed logical to illustrate how to work around this current false positive and annoying quarantining of the core JavaServer.exe file from the Zend Server. There are two sets of tasks, the first requires removing the file from quarantine and the second eliminates future scans from quarantining the file again.

Remove the file from the Virus Vault

  1. Launch AVGFree and navigate to the History menu option and choose the Virus Vault option, as shown below.

  1. Click the Virus Vault option in the list of the History, which displays the following screen. Click the Infection row and then click the Restore button to remove the file from the virus vault.

  1. A confirmation dialog opens and you click the Yes button to proceed.

  1. The Infection row is gone When you’re returned to the History dialog. Click the Close button to complete this task.

Exclude the file from future scans

  1. Select the Tools menu option and choose the Advanced settings … option, as shown below.

  1. Click the Excluded files option in the list of the History, which displays the following screen. Click the Add button to select the file for exclusion. Click the Apply button to effect the change and the OK button to complete the change.

All I can say, one the AVGFree false positive was annoying and it’s dark at 3 a.m. and light the next day. ;-)

Thanks to those who knew or surmised it was AVGFree’s heuristics and took the time to add a comment.

Written by maclochlainn

April 29th, 2012 at 2:40 am

Posted in Java,PHP,WAMP,Windows7,Zend

7 Responses to 'Zend CE has a Worm?'

Subscribe to comments with RSS or TrackBack to 'Zend CE has a Worm?'.

  1. It’s probably a false positive. Try scanning the file with other AV SW.

    Matic

    29 Apr 12 at 3:57 am

  2. It would be more probable that it’s just one of the many false-positives found these days by over-aggressive AV heuristics. Should definitely be confirmed by Zend, though.

    Bartosz Bednarowicz

    29 Apr 12 at 5:44 am

  3. Are you sure that this is not a ‘false positive’. All AV solutions have ‘false positives’ from time to time (and AVG is no exception).

    Peter Laursen

    29 Apr 12 at 8:25 am

  4. We’ve tested it with both Eset and ClamAV and they didn’t find anything. Wel’ll continue checking it but it does look like a false positive, as others suggested.

    Zeev

    29 Apr 12 at 12:53 pm

  5. Thanks Zeev, I’m checking with other virus software. I agree it looks like a false positive and Norton 360 agrees with that assessment.

    maclochlainn

    29 Apr 12 at 2:41 pm

  6. It’s Java. And a server. No wonder ;)

    Justin Rovang

    29 Apr 12 at 7:55 pm

  7. […] Zend CE has a Worm? […]

Leave a Reply