False Positive for TCPIP.sys

SteveRoadWarrior · ‎07-22-2013

we' re seeing a potential false positive on tcpip.sys (Win7 sp1 64bit) on several machines. Submitted to VirusTotal comes back clean. However, FC comes back with: W32/Diple.ETTO!tr W32/Jorik_Vobfus.ALGB!tr W32/VB.BTAZ!tr W32/Phires.VH!tr <other scans clean, we are not infected>

sharmathan · ‎07-22-2013

i just posted a topic regarding this as well. im having the exact same issue since this morning on 3 of my Windows 7 PC. this killed network access and im unable to uninstall FortiClient from these PC' s. have you tried to uninstall the FortiClient ???

SteveRoadWarrior · ‎07-22-2013

Three machines here as well (that I know of). Same fallout, blown up network access. We using imaging technology and are restoring images, but the issue will come right back if we re-enable AV. My biggest problem is that none of the machines will " restore" the file. It goes through the motions, even offers to exclude from scans. But it still sits in quarantine and I can' t put the file back where it goes. I can deal with a false positive as long as the AV client will give me my file back.

Phoenixsecure · ‎07-22-2013

All my machine with Windows 7 are flagging tcpip.sys as a virus, result no internet access. This started this morning. NEED FIX ASAP!!! Since we don' t have access to the internet please don' t send a fix asking to go get a file on the internet or reload the virus database.

SteveRoadWarrior · ‎07-22-2013

Some things which didn' t work for us, but may work for you: - Microsoft say to run this from and elevated command prompt: netsh int ip reset resetlog.txt - running system file checker (SFC) didn' t seem to help either - system restore point restore bailed on us with a catastrophic error (their term, not mine) on two machines we' re reverting to images on the machines where users clicked " delete" in some cases, the ' virus' was detected in the winsxs directories and not the actual tcpip.sys which is in c:\windows\system32\drivers\tcpip.sys we' ve disabled Forticlient completely but have not uninstalled (had to un-register from the FG to shut down the client) still, not a pretty scene... all your network are belong to us.

BigRock · ‎07-22-2013

Experiencing the same issue on my home system: Win7 SP1 32, Forticlient 5.04 - my recollection of the quarantine log is that tcpip.sys was flagged at approx 1600h Mountain Time on July 20, so I assume that the false positive came through the Forticlient A/V definition update sometime during that day I did succeed in installing a system restore point the first time around. Uninstalled and then reinstalled Forticlient 5.04, at which point the TCPIP.sys false positive reappeared. After that, was no longer able to uninstall 5.04, and all subsequent system restore attempts failed. Performing SFC and the ' netsh int ip reset' also proved fruitless. Q: is this problem being witnessed only on 5.04, or are the other versions experiencing this too?

Phoenixsecure · ‎07-22-2013

I have open a ticket and they were already aware of the problem, seem to be a fuck up in the virus database, hope they can fix it soon, only problem is since the computers does not have internet access we will probably have to install the database manually, this is a major mess.

PDG · ‎07-23-2013

I had yesterday the same with ~50 Win7 32bit machines. It took us almost 16 hours to get all the workstations online again.

yonigrin · ‎07-23-2013

hello everybody. we started encountering the same issue since the 21/7/13. nothing microsoft offers does' nt help - don' t even bother. when i look at the logs i see a restore point just before the problem started with the description " windows module installer" - donno if that' s related. it' s interesting, the exact problem happened a while ago with AVAST! antivirus. anyway, this is how i restored my network connectivity without format\image restore: 1. open FC, check quarantined files. restore tcpip.sys and add to exclusions. 2. uninstall FC (disabling the AV didn' t help) 3. restart windows + F8 4. Repair my system 5. System Restore. 6. Reboot.

Denis_Nienstedt · ‎07-23-2013

There is a longer way but it works without restore. Disable FC!!! 1. Restart the PC 2. When the BIOS information appears, press F8. 3. Select safeMode, and then press ENTER. 4. Use the Administrator password to log on. 5. Click Start, and then click Run. 6. In the Open box, type regedit, and then click OK. 7. Locate the following registry subkeys: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Winsock2 8. Right-click each key, and then click Delete. 9. Click Yes to confirm the deletion of each key. 10. Close Regedit. 11. Locate the Nettcpip.inf file in %winroot%\inf, and then open the file in Notepad. 12. Locate the [MS-TCPIP.PrimaryInstall] section. 13. Edit the Characteristics = 0xa0 entry and replace 0xa0 with 0x80. 14. Save the file, and then exit Notepad. 15. In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties. 16. On the General tab, click Install, select Protocol, and then click Add. 17. In the Select Network Protocols window, click Have Disk. 18. In the Copy manufacturer' s files from: text box, type c:\windows\inf, and then click OK. 19. Select Internet Protocol (TCP/IP), and then click OK. Note This step will return you to the Local Area Connection Properties screen, but now the Uninstall button is available. 20. Select Internet Protocol (TCP/IP), click Uninstall, and then click Yes. 21. Restart your computer, and then select Directory Services Restore Mode as mentioned in steps 2 - 4. 22. In Control Panel, double-click Network Connections, right-click Local Area Connection, and then select Properties. 23. On the General tab, click Install, select Protocol, and then click Add. 24. In the Select Network Protocols window, click Have Disk. 25. In the Copy Manufacturer' s files from text box, type c:\windows\inf, and then click OK. 26. Select Internet Protocol (TCP/IP), and then click OK. 27. Restart your computer. Then the TCP Stack works again. Good Luck!