Windows Defender notification

[RobinK]

I recently performed a full scan which resulted in the usual 'green tick'
status. However, I later noticed that the scan produced a separate warning in
Event Viewer saying that WD had detected the spyware Trojan:JS/Agent.FA in my
Temporary Internet Files folder. So I ran a custom scan just on that folder
and WD displayed a detection notification and asked if I wanted to remove the
infected file, which I did. I previously had faith in WD's capability but now
it raises 2 questions.

1. Why did WD's real-time protection fail to prevent the infected file being
saved to my hard drive when it was encountered on the suspect website.
2. Why didn't WD notify me that it had detected the spyware during the full
scan but then generate a warnivg in event instead, which I could have easily
missed

Many thanks,
Robin.

 

[Ǝиçεl]

Hello RobinK,

1. Why did WD's real-time protection fail to prevent the infected file being
saved to my hard drive when it was encountered on the suspect website.
2. Why didn't WD notify me that it had detected the spyware during the full
scan but then generate a warnivg in event instead, which I could have easily
missed

1.- MSWD is generally a reactive application. It tends to deal with spyware
after it is already on your computer. If your looking for protection before
it can download to your computer, you'd perhaps be interested in
SpywareBlaster.

<http://www.javacoolsoftware.com/spywareblaster.html>

Sitadvisor
<http://www.siteadvisor.com/preview/>


Oh, and it sure doesn't hurt to have both of these applications for multiple
layers of protection.

If you want something proactive, add Prevx Home
<http://www.prevx.com>

YOU must have the expertise since it is your choices and education that
dictate how secure is your system.

2. Why didn't WD notify me that it had detected the spyware during the full
scan but then generate a warnivg in event instead, which I could have easily
missed

# 2.- I am out of answers. Sorry I couldn't help



Ǝиçεl
-=-

 

[RobinK]

Thanks for your suggestions. Before I rush off to install more security
software, I need to understand why WD failed to intercept and notify me about
this malware. If WD doesn't work properly then I will move to another
product. But at this stage, I do not know if that is the case.

Regards.
Robin.

 

[Bill Sanderson]

I share your mystification, I think. From your description, I take it you
are using Internet Explorer? What version?
If I were ASSuming something, it might be along the lines of the file not
being a direct threat--but the later detection and removal seems to negate
that, as does the name.

Can you copy and paste that event viewer warning to a reply here? And
perhaps also events related to the later detection and removal? Feel free
to remove anything identifying if present.

I'm not sure I will learn anything from these, but I'm curious. And
occasionally somebody more knowledgeable does look at these threads.

Thanks!

I recently performed a full scan which resulted in the usual 'green tick'
status. However, I later noticed that the scan produced a separate warning
in
Event Viewer saying that WD had detected the spyware Trojan:JS/Agent.FA in
my
Temporary Internet Files folder. So I ran a custom scan just on that
folder
and WD displayed a detection notification and asked if I wanted to remove
the
infected file, which I did. I previously had faith in WD's capability but
now
it raises 2 questions.

1. Why did WD's real-time protection fail to prevent the infected file
being
saved to my hard drive when it was encountered on the suspect website.
2. Why didn't WD notify me that it had detected the spyware during the
full
scan but then generate a warnivg in event instead, which I could have
easily
missed

Many thanks,
Robin.

--

 

[RobinK]

Hi Bill,

I'm using IE6 on this PC. The full scan finished and reported nothing.
However, I have noticed that a scheduled WD Quick Scan started & finished
right in the middle of this Full Scan. I don't know if this confused the
issue. When I checked Event Viewer, the following warning was present in the
System log...

**********
Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 1006
Date: 03/04/2009
Time: 00:25:24
User: N/A
Computer: -
Description:
Windows Defender scan has detected spyware or other potentially unwanted
software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:JS/Agent.FA&threatid=17855
Scan ID: {8BD58A8D-EC0F-445B-B742-C4FABECEA5F9}
Scan Type: AntiSpyware
Scan Parameters: Full Scan
User: -\-
Name: Trojan:JS/Agent.FA
ID: 17855
Severity: High
Category: Trojan
Path Found: file:C:\Documents and Settings\-\Local Settings\Temporary
Internet Files\Content.IE5\YTOTM5OV\popup[1].htm
Detection Type: Concrete

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
**********

This prompted me to run a Custom Scan on the TIF folder specified. This time
I got an active response from WD, giving the option to remove the file. After
WD removed the file, the following entry appeared in Event Viewer...

**********
Event Type: Information
Event Source: WinDefend
Event Category: None
Event ID: 1007
Date: 03/04/2009
Time: 00:57:43
User: N/A
Computer: -
Description:
Windows Defender has taken action to protect this machine from spyware or
other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:JS/Agent.FA&threatid=17855
Scan ID: {E1925C9C-38DD-4E19-BEF2-F62513272F62}
Scan Type: AntiMalware
User: -\-
Name: Trojan:JS/Agent.FA
ID: 17855
Severity: High
Category: Trojan
Action: Remove

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
**********

Notice that the Scan Type has changed from AntiSpyware in detection to
AntiMalware in removal. Please let me know if you need any further info.

Thanks,
Robin.

 

[Bill Sanderson]

I don't understand it--it's clearly identified as severity:high--it seems to
me it should have offered to clean it on the first scan.

Is there an antivirus installed? I'm not certain that it would be expected
that Windows Defender would prevent the file from being saved. It should
certainly prevent the file from being executed.

The quickscan may be a clue--suppose the first scan had thrown up a warning,
and before you were able to see it, the quickscan ran, and was clean, thus
turning everything green again--not sure that's how it works, but maybe..

Does Windows Defender history show anything clearer--a record of detection
before the 00:57 scan might mean that it was in fact detected on the earlier
scan?

Hi Bill,

I'm using IE6 on this PC. The full scan finished and reported nothing.
However, I have noticed that a scheduled WD Quick Scan started & finished
right in the middle of this Full Scan. I don't know if this confused the
issue. When I checked Event Viewer, the following warning was present in
the
System log...

**********
Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 1006
Date: 03/04/2009
Time: 00:25:24
User: N/A
Computer: -
Description:
Windows Defender scan has detected spyware or other potentially unwanted
software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:JS/Agent.FA&threatid=17855
Scan ID: {8BD58A8D-EC0F-445B-B742-C4FABECEA5F9}
Scan Type: AntiSpyware
Scan Parameters: Full Scan
User: -\-
Name: Trojan:JS/Agent.FA
ID: 17855
Severity: High
Category: Trojan
Path Found: file:C:\Documents and Settings\-\Local Settings\Temporary
Internet Files\Content.IE5\YTOTM5OV\popup[1].htm
Detection Type: Concrete

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
**********

This prompted me to run a Custom Scan on the TIF folder specified. This
time
I got an active response from WD, giving the option to remove the file.
After
WD removed the file, the following entry appeared in Event Viewer...

**********
Event Type: Information
Event Source: WinDefend
Event Category: None
Event ID: 1007
Date: 03/04/2009
Time: 00:57:43
User: N/A
Computer: -
Description:
Windows Defender has taken action to protect this machine from spyware or
other potentially unwanted software.
For more information please see the following:
http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:JS/Agent.FA&threatid=17855
Scan ID: {E1925C9C-38DD-4E19-BEF2-F62513272F62}
Scan Type: AntiMalware
User: -\-
Name: Trojan:JS/Agent.FA
ID: 17855
Severity: High
Category: Trojan
Action: Remove

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
**********

Notice that the Scan Type has changed from AntiSpyware in detection to
AntiMalware in removal. Please let me know if you need any further info.

Thanks,
Robin.

I share your mystification, I think. From your description, I take it
you
are using Internet Explorer? What version?
If I were ASSuming something, it might be along the lines of the file not
being a direct threat--but the later detection and removal seems to
negate
that, as does the name.

Can you copy and paste that event viewer warning to a reply here? And
perhaps also events related to the later detection and removal? Feel
free
to remove anything identifying if present.

I'm not sure I will learn anything from these, but I'm curious. And
occasionally somebody more knowledgeable does look at these threads.

Thanks!

--

 

[RobinK]

Hi Bill,

Thanks for your comments. Please find my responses below...

I don't understand it--it's clearly identified as severity:high--it seems to
me it should have offered to clean it on the first scan.

My point exactly.

Is there an antivirus installed? I'm not certain that it would be expected
that Windows Defender would prevent the file from being saved. It should
certainly prevent the file from being executed.

SAV v10 is installed. I checked Symantec's virus database and unbelievably,
this bug isn't even in their threat list. Not by that name or any of the
others suggested by the MS Malware Protection Center. Hence why SAV didn't
even show up at the party.

The quickscan may be a clue--suppose the first scan had thrown up a warning,
and before you were able to see it, the quickscan ran, and was clean, thus
turning everything green again--not sure that's how it works, but maybe..

Yes, that makes sense to me.

Does Windows Defender history show anything clearer--a record of detection
before the 00:57 scan might mean that it was in fact detected on the earlier
scan?

Unfortunately, the history has been cleared presumably because the PC has
been restarted a few times since the incident. I was a bit panicked when it
happened (at around midnight) and neglected to check the history at the time.

Thanks again,
Robin.

 

[Bill Sanderson]

History is only supposed to be cleaned manually, I think. I'm not sure what
class of things show up there, though--this seems like something that should
have.

I understand the panic issue--this stuff always seems to happen when you are
pressed for time or sleep....

Hi Bill,

Thanks for your comments. Please find my responses below...

My point exactly.

SAV v10 is installed. I checked Symantec's virus database and
unbelievably,
this bug isn't even in their threat list. Not by that name or any of the
others suggested by the MS Malware Protection Center. Hence why SAV didn't
even show up at the party.

Yes, that makes sense to me.

Unfortunately, the history has been cleared presumably because the PC has
been restarted a few times since the incident. I was a bit panicked when
it
happened (at around midnight) and neglected to check the history at the
time.

Thanks again,
Robin.

--

 

[RobinK]

Thanks again for your comments, Bill.

History is only supposed to be cleaned manually, I think. I'm not sure what
class of things show up there, though--this seems like something that should
have.

I understand the panic issue--this stuff always seems to happen when you are
pressed for time or sleep....