Threat Level: green Handler on Duty: Russ McRee

SANS ISC: False positive on sfc.dll - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
False positive on sfc.dll
Bojan was the primary handler on this one...  We received a report that Symantec Antivirus was detecting a virus on sfc.dll, which is a component of Windows File Protection.  At first, we were a little worried that a trojan was disabling the protection features, which would be a bad thing.  However, it looks like this was a false positive and new signatures released today seems to have fixed the problem.  This was occuring on Windows 2000 SP4 machines without the Security Rollup applied.



UPDATE

Just a short update about this problem. As we already wrote, Symantec removed detection for this file from their definitions.
However, the main reason why they added this detection is pretty interesting, so we decided to write a bit more about this, as we received some useful information from Symantec?s security response team.

Basically, the sfc.dll file provides Windows 2000 and XP operating systems with a feature called System File Checker (SFC), which is part of Windows File Protection. Windows File Protection prevents programs from replacing critical Windows system files (you can find more information about WFP at http://support.microsoft.com/kb/222193).
As you can see, WFP makes it a bit more difficult for malware to replace Windows system files. The bad guys, however, found a way to circumvent SFC ? all they have to do is to ?patch? the sfc.dll file (the patch actually only modifies 2 bytes!) and add an undocumented registry key.

According to Symantec, a lot of Infostealer Trojans modify the sfc.dll file, so they added detection for it. However, it looks like there might be some other, legitimate, reasons for this, so some people might have been caught with this false positive detection (when the system actually wasn?t infected).
Symantec posted a knowledge base article about this, so if you were affected visit http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2006102011570548.

Kyle

112 Posts

Sign Up for Free or Log In to start participating in the conversation!