14 DAY TRIAL // After an engine signature update from 31.6.6672 to 33.3.7051, the CA eTrust anti-virus went completely mad and started to display numerous false positive infections with StdWin32. This was later fixed by CA with an emergency update, 34.0.6674, and written instructions on the company's customer support web page.
After the problematic engine update, the anti-virus went berserk and started to quarantine various binary files, trashing and leaving systems in complete chaos. And if this was not enough, the ridiculous of the whole situation peaked when it started to detect itself as malware and sending some of its own binaries into quarantine.
It was first noticed by the Dynamoo blog, and later spawned a topic on the official CA eTrust anti-virus forum thread on the CA website. Forum users reported numerous false positive detections from CA eTrust, which affected various applications like MS Visual Studio, Incredibuild, AJAX Control Toolkit, some Nokia software, printer drivers and more.
It seemed that the anti-virus had an appetite for .DLL, .EXE and .AVB files, reporting hundreds of false positive infections with StdWin32 on the same computer.
A prompt response was given by CA with a quick engine update, and a later re-release of its previous malware engine. Instructions on how to rename quarantined files and get them back were issued through a newsletter to all CA customers. The remediation tools and instructions can be found here. According to the message sent to customers, they were urged to “download and run the rename tool or un-quarantine tool first to restore the files and then update the machines to version 34.0.0.6674.“
CA also issued this statement about the incident, “Last night, CA released a new updated AntiMalware engine. This new release has resulted in false positive detections of a number of files. CA Threat Manager customers are the only customers being affected by this issue. This is not a result of signature updates and does not impact CA consumer Internet security products. To resolve the issue, CA has rolled back the new engine and re-released its previous antimalware engine. CA customer support representatives are on call to answer customer questions and to provide remediation support. A remediation tool to rename the quarantined files is now available through CA support and will soon be accessible online. CA is aggressively working to resolve the issue, assist any customers who have been affected, as well as identify the root cause of the incident. We apologize for this inconvenience and look forward to the roll out of our new antimalware engine, which will ultimately offer our customers many benefits including enhanced malware protection and improved performance.”