4 Replies Latest reply on Jun 14, 2012 1:38 PM by SolarWinds Community Team

    wuaprovider + trojen

    SolarWinds Community Team

      hi all

      my antivirus says that the wuaprovider.exe :


      30  2010-08-30  09:37:28+02:00  adm SYSTEM  F-Secure Anti-Virus  Malicious code found in file C:\Program Files\EminentWare\WMI Providers\WUAProvider.exe.

      Infection: Gen:Trojan.Heur.@t1@k7BZ2jii

      Action: none.


      shiiit what is this ????

      plz help out

        • Re: wuaprovider + trojen
          SolarWinds Community Team


          Our software components are scanned by multiple antivirus scanners before being packaged.

          The wmi providers msi is then digitally signed as well as all DLLs and EXEs.

          Does the wmi providers msi show a valid digital signature?

          Does the WUAProvider.exe show a valid digital signature?

          It may be a false positive.

          We will re-scan the packages and content to insure there are no issues.

            • Re: wuaprovider + trojen
              SolarWinds Community Team


              Thank you for submitting the file to F-Secure for analysis.

              Please let us know if a newer AV DB corrects the issue.


              We use 3 AV scanners:

              Trend Micro




              None of these AV scanners detect any viruses.

                • Re: wuaprovider + trojen
                  SolarWinds Community Team


                  We began seeing this false positive after Symantec released their latest definitions on January 5th. Have you done a scan recently? We submitted the file to Symantec and they confirmed that it was not a virus of course.

                  Before we knew Symantec was causing an issue we attempted to connect to some computers via EminentWare using the computer explorer tool to look at the Windows Update History. As a result the computers  became corrupted forcing us to do a system restore to bring them back to a working state. We confirmed that the EminentWare providers caused an issue by looking at the system logs on the affected computers. Not all computers were corrupted when connected to though and we are unclear if Symantec is playing a role. We have so far been unable to replicate this issue in our lab however we do know that the process of provisioning the wmi providers on those machines was a problem.  Any ideas or thoughts on how or why this could happen? At this point we have stopped using EminentWare computer explorer tools until we can figure out for sure what's happening.

                  We're continuing to research the issue in an attempt to gain further insight.