VlP 0 Posted November 4, 2020 Posted November 4, 2020 1 hour ago, gustlik102 said: Yes, but as far as I can see, Windows try to restore this file from WinSxS after delete from SysWOW64. When ESET try to replace this file after restore from Windows repository, you got access denied information, because TrustedInstaller is above SYSTEM user (SYSTEM have read only permission to this file). It is no problem when ESET didn't clean this file also in WinSxS. If ESET clean also this file in this folder, Windows will restore empty VBS file and ESET cannot replace it to correct file. When I restore items from quarantine, restore item task has failed on every PC..
GregA 3 Posted November 4, 2020 Posted November 4, 2020 23 minutes ago, VlP said: When I restore items from quarantine, restore item task has failed on every PC.. Same here, luckily only about 30 computers. But the files are fairly important, as they are used to add the Windows 7 extended ESU license each year.C:\windows\system32\slmgr.vbs C:\windows\sysWOW64\slmgr.vbs Task failed error: CNodcommChannel: Send request failed with 14, Command failed - Make sure that Agent runs with Administrator privileges.
rsf71 0 Posted November 4, 2020 Posted November 4, 2020 What virus signature version was the culprit and which version fixes this issue? You made a lot of folks in a healthcare setting very upset with the Ryuk nonsense going on.
VlP 0 Posted November 4, 2020 Posted November 4, 2020 21 minutes ago, GregA said: Same here, luckily only about 30 computers. But the files are fairly important, as they are used to add the Windows 7 extended ESU license each year.C:\windows\system32\slmgr.vbs C:\windows\sysWOW64\slmgr.vbs Task failed error: CNodcommChannel: Send request failed with 14, Command failed - Make sure that Agent runs with Administrator privileges. Why are the files on Windows 10 machines?
bigdata 0 Posted November 4, 2020 Posted November 4, 2020 I have the same problem with 2 detections of: VBS / Trojan.Banload.fa I am waiting for the update.
Administrators Marcos 5,462 Posted November 4, 2020 Administrators Posted November 4, 2020 3 minutes ago, bigdata said: I have the same problem with 2 detections of: VBS / Trojan.Banload.fa I am waiting for the update. An automatic module update with a fix was released 3 hours ago.
bigdata 0 Posted November 4, 2020 Posted November 4, 2020 there is a problem i'm on eset internet security and no update is available. I just analyzed my system. I'll send you a screen in 5 minutes.
GregA 3 Posted November 4, 2020 Posted November 4, 2020 3 minutes ago, Marcos said: An automatic module update with a fix was released 3 hours ago. How do you define fix? People are not able to restore these from quarantine. Will the restore work after the fix rolls out?
rsf71 0 Posted November 4, 2020 Posted November 4, 2020 8 minutes ago, VlP said: Why are the files on Windows 10 machines? slmgr.vbs is part of the licensing subsystem for all Windows versions. If you are in a KMS environment you are pretty familiar with executing that file. I imagine MS leveraged that file for adding the license to extend your Windows 7 support.
Ravenia 0 Posted November 4, 2020 Posted November 4, 2020 When I restored my file that was affected it disappeared again from the folder after a while. I managed to then restore it using a restore point from windows. It's now back in the folder and I hope this means everything is okay now.
karlisi 26 Posted November 4, 2020 Posted November 4, 2020 42 minutes ago, GregA said: Same here, luckily only about 30 computers. But the files are fairly important, as they are used to add the Windows 7 extended ESU license each year.C:\windows\system32\slmgr.vbs C:\windows\sysWOW64\slmgr.vbs Task failed error: CNodcommChannel: Send request failed with 14, Command failed - Make sure that Agent runs with Administrator privileges. The same here. Unable to restore.
rsf71 0 Posted November 4, 2020 Posted November 4, 2020 1 minute ago, karlisi said: The same here. Unable to restore. Try running the following: C:\> sfc /scannow This is the Windows system file checker, should identify missing files and replace them.
itman 1,806 Posted November 4, 2020 Posted November 4, 2020 8 minutes ago, Ravenia said: I managed to then restore it using a restore point from windows. It's now back in the folder and I hope this means everything is okay now. I also believe that running sfc /scannow from admin command prompt window will also restore the file/s.
karlisi 26 Posted November 4, 2020 Posted November 4, 2020 1 minute ago, rsf71 said: Try running the following: C:\> sfc /scannow This is the Windows system file checker, should identify missing files and replace them. On 30+ computers in 20 remote locations?
rsf71 0 Posted November 4, 2020 Posted November 4, 2020 1 minute ago, karlisi said: On 30+ computers in 20 remote locations? There is no whining in I/T.
itman 1,806 Posted November 4, 2020 Posted November 4, 2020 (edited) 13 minutes ago, karlisi said: On 30+ computers in 20 remote locations? One thing I am wondering is if copying slmgr.vbs from System32 directory to SysWOW32 directory will fix this issue? File sizes are identical and the .vbs script is plain text. Also and most important, is the .vbs file missing from the SysWOW32 directory a major issue for anyone running Win 64 bit version? I assume Win will use the .vbs script in System32 directory for any license validations Edited November 4, 2020 by itman
mcnick 1 Posted November 4, 2020 Posted November 4, 2020 SFC /SCANNOW is not replacing the files. It's unable to repair the files because they're missing, and ESET is saying a restore from quarantine is failing from my ESMC server.
bigdata 0 Posted November 4, 2020 Posted November 4, 2020 (edited) I no longer have detection with the scan (probably because they are in quarantine ) See the screen (in french !) I can't restore these files Edited November 4, 2020 by bigdata
CDANS 0 Posted November 4, 2020 Posted November 4, 2020 ESET SMC is showing 500 detections and no actions taken. Will these detections be removed automatically or do I need to clear them manually?
sneeker 0 Posted November 4, 2020 Posted November 4, 2020 11 minutes ago, bigdata said: I no longer have detection with the scan (probably because they are in quarantine ) See the screen (in french !) I can't restore these files First, see if the files are aviablein the system32 or syswow64 location. I have the same error, but the files are still there :-) Best regards from switzerland David
JackM 1 Posted November 4, 2020 Posted November 4, 2020 DISM /Online /Cleanup-Image /RestoreHealth This is what fixed the corrupt files. mcnick 1
ihatemalware 0 Posted November 4, 2020 Posted November 4, 2020 3 hours ago, Marcos said: Please collect logs with ESET Log Collector and upload the generated archive here. Basically whenever an operation is performed with files, the files are first quarantined (ie. a backup copy is created in encrypted form) and only then files are cleaned or deleted. The ESET Log Collector logs should shed more light. Okay, I did that, and the file quar_info.txt indicates that the files are in quarantine in "C:\WINDOWS\system32\config\systemprofile\AppData\Local\ESET\ESET Security\Quarantine\". How do I get them back?
Administrators Marcos 5,462 Posted November 4, 2020 Administrators Posted November 4, 2020 You should be able to restore the files unless they were detected in the c:\windows\winsxs folder where only TrustedInstaller has permissions to write.
GregA 3 Posted November 4, 2020 Posted November 4, 2020 44 minutes ago, Marcos said: You should be able to restore the files unless they were detected in the c:\windows\winsxs folder where only TrustedInstaller has permissions to write. That is not the case however. Try restore this... file://C:\windows\system32\slmgr.vbs And get this.... Task failed: CNodcommChannel: Send request failed with 14, Command failed - Make sure that Agent runs with Administrator privileges. Am I in the wrong forum? Should I be posting this in Remote Management section instead since it's multiple computers?
Recommended Posts