From: ......
Sent: 2008-07-23 16:56
To: .....

Subject: Norton AntiVirus

Many of you may already beware of the mess that is occurring with the latest definition Norton Antivirus. Norton just sent a definition update the other day that sees micros explorer.exe as a virus and deletes it. At the very least this will not allow to log into Micros Secure Desktop and the very worst it will freeze the entire POS system. Everyone using RES 4.0 and above is affected. If a customer calls about this issue, direct them to the Help Desk. They are well aware of the issue and are implementing the following workaround to set micros explorer.exe as an exception in Norton (The painful part here is that the site needs to re-boot after setting the exception).

The following solution is the workaround: 57244

Solution Title: 3700 (Microsexplorer.exe, Norton Antivirus, NAV, Endpoint) Micros Desktop causes the SQL service to fault or PC to freeze

Problem Description:
Norton Antivirus Endpoint released a virus definition approximate to 7/22/2008 that detected the file "microsexplorer.exe" as a virus. There are several registry entries as well as files that are quarantined because of this. This solution is a workaround for NAV quarantining this file. Sites may report the following:

- Opening Micros Desktop freezes the server or causes SQL service to fault
- Workstations say "system closed" or "enter standalone mode?"
- PC Freezes or locks up when Rebooting (if secure desktop is set to start automatically)

The basic flow of implementing this solution is as follows:

1. Set Micros directory as an exception in the antivirus software
2. Recover the quarantined file "microsexplorer.exe" and related processes

Resolution (1 of 1):

(PLEASE NOTE: These steps were recorded from a Burger King site using Windows XP Pro, RES 4.1 hf3, with Norton Antivirus Endpoint Version. The steps to resolve this may differ depending on which versions of software are involved!!)

1. Go to start > Run. Then type in "services.msc"
2. Find the "MICROS Secure Desktop" service, right click and go to properties
3. Set the "startup Type" to "Manual"
4. Perform a proper reboot of the Micros server
5. When PC server starts, go to start > programs > Norton's Antivirus
6. Select the "settings" bar, then select "Virus and Spyware Protection Options"
7. Select "Scan Exclusions", then select "new" for both boxes for "risk scanning" and "auto protect scanning"
8. Select the browse folder and select the path \micros\common\bin (partition location varies from site)
9. Press OK to get back to the NAV original screen
10. Press the "Tasks & Scan" option, under that select "Managed Quarantined Items", then "Go to Quarantine"
11. The title should be "W32.spybot.Worm". select the icon under the status column for that Particular quarantined Item

(NOTE: if the status shows "reboot required", it will NOT give you the option to restore risk on the next step!!)

12. select "Restore Risk". (this may take several minutes)
13. After this is done, the Micros desktop should open.

The following SCR is open with R & D:

SCR#


35213


Open


RES: MicrosExplorer.exe is being detected as a virus threat as of 7/22/08



Submitter:


...........


Submit Date:


7/23/2008 8:06:12 AM

Owner:


...........


Close Date:


>



Document?:


No


Priority:


>

Estimated Dev Effort:


>


Referenced SCR:


0

Estimated QA Effort:


>


Release Version:


RES 4.0

Feature:


Installation/Setup


RES_Module:


3700

HW Platform:


>


Setup Type:


>

Item Type:


Investigation Needed


Severity:


Showstopper

Module:


Setup - Other


Status:


Reported

Operating System:


>


Target Version:


>

Origin:


Internal


Version Fixed (Old):


>

Original Submitter:


...............



Version Found (Old):


>

Build Fixed:


Clarify Change Request #:


6488145

Customer:


Burger King

Historical References:


Version Fixed/Rspd:


Version Found:


res 4.X

Description:


Title: RES: MicrosExplorer.exe is being detected as a virus threat as of 7/22/08
Description:
As of yesterdays anitvirus definitions symantec endpoint is detecting MicrosExplorer.exe as a security threat detected as the w32.spybot worm virus. On further investigation other antivirus programs such as symantec corp 10 and AVG anti-virus are also detecting this file as a security threat.
Versions thus far affected:
Version 4.0 GR CD -using AVG --source: N
Version 4.1 hf1 -using AVG --source clarify case 6488145
Version 4.1 hf2 -using SEP11 --source H cube
Version 4.1 hf3 -using SEP11 --source H cube

After talking to G he explained that the functionality of the file modifies the registry changing the shell, it act as a key logger for the EM backdoor feature, and ping the process list to see if MIcrosDesk is running, one or alll of these behavior may be mis-represent as suspicious activities.

Clarification and more info. [7/23/2008 11:38:04 AM(........)]:



1) We are NOT seeing this get reported as a virus from NAV 10.1.5.5000. I tested this with a virus def of 7-24-08 and it was not reported as an issue.

2) Although I did get some indirect indication it was complaining about a file located where I had a 4.1 hf2 version of MicrosExplorer, a direct scan of that version of the file does NOT show any issues.

So, With SEP 11, it is just version 4.1 hf3.

-------------------------------------------------------

Many BK sites reporting this [7/23/2008 11:38:04 AM()]:



Burger King sites on RES 4.1 hf3 are calling the Help Desk in regards to the micros desktop not starting, Micros PC Freezing or locking up, workstations prompting for standalone mode, as well as other NAV messages that appear on their BOPC. When remotely connected to some sites, the SQL service faults every time the micros desktop tries to start.
We have been using the following steps to correct this issue
Set the “MICROS Secure Desktop” service to “manual”
Restart the BOPC
Navigate to NAV exclusions and set the \micros\common\bin directory as an exclusion
Un-quarantine the “W32.spybot.Worm” Risk
Set the “MICROS Secure Desktop” service back to “Automatic” again.

Symantec says the signature causes it [7/23/2008 11:38:04 AM()]:



Since the response from submitting the file is that it’s a virus, that means it’s not based on behavior, but rather it’s in the signature.

BK using NAV 2008 [7/23/2008 11:39:39 AM(.....)]:



So now we have:
AVG
SEP 11
NAV 2008

all reporting version 4.1 hf3 of MicrosExplorer.exe as a virus.

Clarify case 6488145 [7/23/2008 11:53:10 AM()]:



more cases [7/23/2008 12:03:33 PM()]:



- 6494538 BURGER KING #12142
- 6494026 BURGER KING #2413
- 6493913 BURGER KING #4497
- 6493891 BURGER KING #12983
- 6493296 BURGER KING #7924
- 6493285 BURGER KING #3059
- 6493269 BURGER KING #4247
- 6492915 BURGER KING #13010

Micros Rep Signature.

So now we have:
AVG
SEP 11
NAV 2008

all reporting version 4.1 hf3 of MicrosExplorer.exe as a virus.