Hello,
Everytime I do a thorough scan I always get a warning that the SQL Slammer virus was found in my mcafee firewall log, and I immediately delete it.
I really don’t think I have the SQL server; especially after searching for "sqlservr.exe as instructed by microsoft bulletin MS02061, no files were found. I’m not even sure what the heck SQL server is.
The file location is always C:\Windows\Program Files\Mcafee
Firewall\Data\Log file with the current date.
Could this possibly be a false positive? If I just do a quick scan it does not show up; but if I go directly to that file and right click to scan, the warning pops up.
I have no idea why this worm is showing up in your firewall logs but then I have never used McAfee’s firewall and know nothing about it. Hopefully, someone here can help you with this.
If you are getting a virus warning that you believe is a false positive, then if you can zip and password protect (‘virus’, will do) the suspect file and send it to virus @ avast.com (no spaces), or send from the chest.
Give a brief outline of the problem (possibly a link to this thread), the fact that you believe it to be a false positive and include the password in the body of the email. Some info on the avast version and VPS number (see about avast {right click avast icon}) will also help.
If it is indeed a false positive, add it to the exclusions lists (Standard Shield, Customize, Advanced and Program Settings, Exclusions) and check scan it periodically using the ashQuick scan (right click scan), when it is no longer detected then remove it from the exclusions.
Also see (Mini Sticky) False Positives
I just sent the file to VirusTotal-Multi engine-on-line virus scanner, and will be notified by email. I’m hoping it’s a false positive, since I’m really not sure how to deal with patching SQL, or if I even have it. I know I don’t use it if I do have it. I looked in my control panel to see if it’s an installed program and it does not show up.
I’ll let everyone know what the analysis states once I receive it.
Thanks for all the help!!
Hello David,
I got my results back, and great news!! Nothing was found, so I’m assuming it is a false positive.
The really wierd thing is that Avast, on the report, showed nothing found. Wonder why my avast detects it as a virus. I always check for updates daily on the dats as well as the program.
AntiVir 6.34.0.24/20060412 found nothing
Avast 4.6.695.0/20060403 found nothing
AVG 386/20060412 found nothing
Avira 6.34.0.56/20060412 found nothing
BitDefender 7.2/20060412 found nothing
CAT-QuickHeal 8.00/20060412 found nothing
ClamAV devel-20060202/20060412 found nothing
DrWeb 4.33/20060412 found nothing
eTrust-InoculateIT 23.71.127/20060412 found nothing
eTrust-Vet 12.4.2161/20060412 found nothing
Ewido 3.5/20060412 found nothing
Fortinet 2.71.0.0/20060412 found nothing
F-Prot 3.16c/20060412 found nothing
Ikarus 0.2.59.0/20060412 found nothing
Kaspersky 4.0.2.24/20060412 found nothing
McAfee 4739/20060412 found nothing
NOD32v2 1.1485/20060412 found nothing
Norman 5.90.15/20060412 found nothing
Panda 9.0.0.4/20060412 found nothing
Sophos 4.04.0/20060412 found nothing
Symantec 8.0/20060412 found nothing
TheHacker 5.9.7.128/20060411 found nothing
UNA 1.83/20060412 found nothing
VBA32 3.10.5/20060412 found nothing
Signatures can at times match code that isn’t malicious, especially if it is trying to detect variants of a virus type, like SQL Slammer.
You should now take the actions I mentioned on reporting a false positive, this will help others as the signature will be modified to cater for this FP and add the file to the exclusions list.
I did send a sample via email today; directly from my virus chest. Just out of curiosity I went into my McAfee firewall log folder and right-clicked and scanned with Avast and sure enough the alarm went off saying it detected a virus. I moved it into my virus chest and emailed it, as I’ve done several others. I have never gotten a response of any kind with any of the previous emails I have sent. I always include in the email, “could this be a false positive?”
I didn’t see the file so I’m judging just by the description, but I actually don’t think it’s a false alarm.
The firewall is probably logging some attack information/packets into a file - and if somebody attacked you with an “SQL Slammer” attack (which is quite likely, there are still lots of these stuff out there), it saved the infection code to the log file. Sure, it is not dangerous and cannot infect you, but it’s still there - and I think it’s correct from an antivirus to report that.
That may well be the case but how does that account or the non-detection by all the scanners including avast ?
Considering the VirusTotal site uses the windows version of avast, the same as safe1. I can only conclude that they haven’t/didn’t have the latest avast VPS, they are also using an older version of avast (4.6.695.0/20060403 found nothing), that date doesn’t correspond to that version number, version 4.6.763 is 20060128.
I hope it isn’t an indication of the VPS date which is very old, 20060403 equates to VPS 0614-0 well out of date.
If that date relates to the VPS then the virustotal site is well out of date to be a waste of time and could well be very misleading and possibly harmful if took the results as gospel. Not only that possibly damaging to avast’s reputation.
Well, yesterday thought I’d be safe and I right-clicked my firewall log file and sure enough the warning came up. I didn’t do anything with the file so that I could send it to the Virus on line center. Well, here’s the latest results:
AntiVir 6.34.0.24/20060413 found [Worm/SQL.Slammer.dmp]
Avast 4.6.695.0/20060403 found [Win32:SQLSlammer]
AVG 386/20060413 found nothing
Avira 6.34.0.56/20060413 found [Worm/SQL.Slammer.dmp]
BitDefender 7.2/20060413 found nothing
CAT-QuickHeal 8.00/20060413 found nothing
ClamAV devel-20060202/20060413 found nothing
DrWeb 4.33/20060413 found nothing
eTrust-InoculateIT 23.71.128/20060412 found nothing
eTrust-Vet 12.4.2162/20060413 found [Win32/SQLSlammer]
Ewido 3.5/20060413 found nothing
Fortinet 2.71.0.0/20060412 found nothing
F-Prot 3.16c/20060413 found nothing
Ikarus 0.2.59.0/20060413 found nothing
Kaspersky 4.0.2.24/20060413 found nothing
McAfee 4740/20060413 found nothing
NOD32v2 1.1488/20060413 found nothing
Norman 5.90.15/20060413 found nothing
Panda 9.0.0.4/20060413 found nothing
Sophos 4.04.0/20060413 found nothing
Symantec 8.0/20060413 found nothing
TheHacker 5.9.7.129/20060413 found nothing
UNA 1.83/20060413 found nothing
VBA32 3.10.5/20060413 found nothing
VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Do not reply to this message. It has been generated by an automatic address that will not handle any reply. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
So now what do I do? How can I tell if I have SQL program installed on my computer? It’s not in the add/remove programs what-so-ever. I’ve never received any update notices from microsoft about the patches either. So I’m sorta confused, to say the least.
Anyway, I’m very thankful you are all willing to help me with this problem! Any and all suggestions are welcome!!
Thank you for putting me at ease!! I have searched for that sqlservr.exe and nothing came up so I know I’m not running it!
Should I just put the firewall log on the list of exemptions when I scan from now on?
As Vlk said you should be OK but future access to the log will likely have the same result, you could clear the log contents.
I don’t know if your firewall has the ability to clear or delete the contents of the log, example of mine in Outpost pro. You could also add your firewall .log file to the standard shield and program settings, exclusions. I’m not sure if this may or may not have a security implication but probably low since this is a text file.
