Archive for MAV

Quickbooks dbdata11.dll and Vipre/MAV

Friday morning (6-26-2015) I started receiving calls from several of my customers saying that they could not run Quickbooks, and that they were getting an alert that the file “dbdata11.dll” has been quarantined.

image

With the help of other members of The ASCII Group, we quickly determined that it was a false positive due to a bad definition file update from Vipre (or the RMM version called MAV).

Soon after, MAXFocus (previously GFI) sent out a service status alert of the issue, and that it had been resolved with definition version 41468 and above. It was recommended to add the file (dbdata11.dll) to the Vipre/MAV exception list, before updating systems with the newer definition file.

Note: make an exception only for the file, and not the folder and file, as the folder name is randomly generated by QuickBooks.

That should have been it. Right? … Wrong!

I received a call from one of my users saying that one of their systems with QuickBooks installed on it had locked up. At about the same time they reported this issue, I received an email alert from the RMM service I use saying that the C: drive of this system had dropped to below 20% free space.

Once we got the system rebooted, I logged in and discovered that there 44,175 folder taking up nearly 62GB of disk space. The location of these folders were in C:\Users\QBDataServiceUser22\appdata\local\temp. Each of these folders contained a single file: dbdata11.dll.

It turns out that every time Vipre/MAV quarantined this file, QuickBooks created a new temp folder with the same file!

So once I had the A/V definition file updated, and we rebooted the system, I went in and safely deleted all 44,175 folders! 

What a fun way to spend a Friday!

Vipre creating thousands of SBS_STDRL temp files

Over this past weekend, I started seeing a buildup of temp files in the C:\Windows\Temp directory. Temp files were named SBS_STDRL_*. My immediate and natural fear was of a virus/hack attack.

The only thing in common with all the systems in question was that they all were running MaxFocus (formerly GFI) Managed AntiVirus program (Vipre). As soon as I stopped MAV from running, the temp files stopped accumulating. Looking at the file dates, this all started on Thursday Jan-15-2015.

image

I contacted MaxFocus Sunday evening and submitted a support ticket. By then I had systems as few as a hundred files, up to systems with over 100,000 temp files created. Fortunately, the size of these files was only 1K.

For the most part, this issue did not cause a lot of problems. However, I did have several customer servers that were negatively impacted by this issue. They started calling Monday morning reporting of poor performance.

On Monday Jan-19-2015 Threat Track Security (formerly Vipre) released a Notice on temp file issue in their forum acknowledging the issue, plus indicating that these files could be deleted.

We are currently investigating an issue where the SBS_STDRL files in C:\Windows\Temp are not being deleted automatically. These files are generated by Active Protection and through VIPRE scans. This may cause increased scan times depending on system specifications. You can delete these files by running command prompt as admin then entering the following command: del %windir%\temp\SBS_STDRL*

Later that day they posted a follow up indicating that the issue was caused by a bad definition file, and that it had been fixed with definition version 36798.

This issue has been fixed in definition version 36798. Please make sure you have updated your definitions to the latest version to stop this issue from happening. Please note, this will not delete the SBS_STDRL files that are already created, so the instructions in the first part of this should be followed if you wish to remove these files.

By Tuesday morning, all systems were running fine. I utilized a built in script of MaxFocus RMM to schedule a cleanup of system temp files, which included checking the C:\Windows\Temp folder.