vbcrayon 0 Posted August 27, 2022 Posted August 27, 2022 "A threat (MSIL / Injector.VGR) was found in a file that the SQL Server Windows NT - 64 Bit application tried to access. The file was deleted". I get this alert everytime. I scanned the system could not find any virus. What should I do?
Administrators Marcos 5,452 Posted August 27, 2022 Administrators Posted August 27, 2022 Please provide logs collected with ESET Log Collector for a start.
vbcrayon 0 Posted August 27, 2022 Author Posted August 27, 2022 1 hour ago, Marcos said: Please provide logs collected with ESET Log Collector for a start. Ok. efsw_logs.zip: Snipped: URL with logs removed.
vbcrayon 0 Posted August 27, 2022 Author Posted August 27, 2022 My problem looks a bit like this one:https://forum.eset.com/topic/28522-dotnet-msil-injectorvgr/
vbcrayon 0 Posted August 29, 2022 Author Posted August 29, 2022 I updated the SQL to version CU 17 and changed the SA password, but the warnings still persist. For the warning to appear, I just restart the service.
itman 1,801 Posted September 25, 2022 Posted September 25, 2022 (edited) Refer to this forum thread: https://forum.eset.com/topic/28522-dotnet-msil-injectorvgr/ . Looks like you have already reviewed it. As I posted there, note the following: Quote However, I would check the below locations for presence of the files listed; %SystemDrive% \ USERS \ xxxxx \ APPDATA \ ROAMING \ MICROSOFT \ WINDOWS \ START MENU \ PROGRAMS \ STARTUP \ MICROSOFT NET_FRAMEWORK.BAT %SystemDrive% \ USERS \ xxxxx \ APPDATA \ ROAMING \ MICROSOFT \ GOOGLE \ CHROMEEXTENSIONS \ ADS \ HONEYADS \ EXUPD.EXE First, make sure that LiveGrid protection is enabled. If this is the same malware, Eset should be able to detect and remove it. It is possible this is a new variant and Eset's existing sig. is not detecting it. Also, the other instance of this was not specifically related to SQL Serrver Win NT. Edited September 25, 2022 by itman
Administrators Marcos 5,452 Posted September 26, 2022 Administrators Posted September 26, 2022 Since the threat was created by sqlservr.exe, it's likely that there's a malicoous procedure stored in a database. I'd recommend dumping stored procedures and check if there is a suspicious one.
vbcrayon 0 Posted October 10, 2022 Author Posted October 10, 2022 Hi. My dump stored procedures script.txt
Recommended Posts