Jump to content

Recommended Posts

Posted

"A threat (MSIL / Injector.VGR) was found in a file that the SQL Server Windows NT - 64 Bit application tried to access. The file was deleted".
I get this alert everytime. I scanned the system could not find any virus. What should I do?

Eset.jpg

Posted
1 hour ago, Marcos said:

Please provide logs collected with ESET Log Collector for a start.

Ok.
efsw_logs.zip:
 

Snipped: URL with logs removed.

Posted

 


I updated the SQL to version CU 17 and changed the SA password, but the warnings still persist. For the warning to appear, I just restart the service.

  • 4 weeks later...
Posted (edited)

Refer to this forum thread: https://forum.eset.com/topic/28522-dotnet-msil-injectorvgr/ . Looks like you have already reviewed it. As I posted there, note the following:

Quote

However, I would check the below  locations for presence of the files listed;

%SystemDrive% \ USERS \ xxxxx \ APPDATA \ ROAMING \ MICROSOFT \ WINDOWS \ START MENU \ PROGRAMS \ STARTUP \ MICROSOFT NET_FRAMEWORK.BAT
%SystemDrive% \ USERS \ xxxxx \ APPDATA \ ROAMING \ MICROSOFT \ GOOGLE \ CHROMEEXTENSIONS \ ADS \ HONEYADS \ EXUPD.EXE

First, make sure that LiveGrid protection is enabled. If this is the same malware, Eset should be able to detect and remove it.

It is possible this is a new variant and Eset's existing sig. is not detecting it. Also, the other instance of this was not specifically related to SQL Serrver Win NT.

Edited by itman
  • Administrators
Posted

Since the threat was created by sqlservr.exe, it's likely that there's a malicoous procedure stored in a database. I'd recommend dumping stored procedures and check if there is a suspicious one.

  • 2 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...