Friday, January 8, 2010

Problem with A/V Update Today

Today at around 12.30pm PST Fortinet pushed out an A/V signature update that caused virtually every file to be identified as infected with the js/gumblar.gen virus. This was most likely a problem with a false positive in the signature file. Fortinet made a new signature update available by 4pm PST today which resolved the issue.

** Update from Fortinet **

A false positive is discovered in our AV Database Version 11.351 on the signature JS/Gumblar.gen.
A new version of the AV Database, version 11.352, has been release to correct this issue around 4:20 PM Pacific Time today (Friday, January 8, 2010).

10 comments:

hari said...

Yes.. You are correct. We too faced the same problem and when the A/V signature was updated from fortinet the problem was solved.

thank you.

Hariharan

hariharan said...

Thank you

Anonymous said...

thank you for the information, I saw this issue yesterday, I was scared about that, Today My servers are working good

For Cristhian P

John said...

What a nightmare. I figured out what was going on about the same time that the update to fix it auto-updated. BTW, has Fortinet acknowledged this mistake? The update that fixed it didn't mention anything about the gumblar thing being recategorized at all. Your blog was the only place I have found mentioning it.

jonbondwolfgang said...

FYI, if you have "auto quarentine" enabled in a protection profile, expect a lot of machines and/or my entire wireless network to be blocked until it is removed from the blocked user list. ;)

BlairN said...

I too ran into this and could not find anything at the fortinet site about this. Thanks for the info.

Anonymous said...

thx for the Info!

Anonymous said...

Ditto here... 102 deployed devices, 1,200 users, auto-quarantine turned on, poorly worded HTML pop-up message, Friday afternoon...joy joy joy!
When I called Fortinet,the first words out of their mouths were "Fortinet Support, is this call in regards to the Gumblar False Positive?"

You all may want to go ahead and edit the HTML AV quarantine message to provide more useful information to your users, should it happen again.

Anonymous said...

Thank you for your post on this problem, I figured that was what had happened, but had no confirmation.

john said...

The update that fixed it didn't mention anything about the gumball thing being re categorized at all.