Topics

Attempted EUMETCast system virus attack?

geojohnt@...
 

Dear All,

I run my system 24/7 and it has 'open' Broadband WiFi access all the time.
My anit-virus software stopped an attack early this morning and I surprised to see it was to/in 
'EUMETCast.'

How can/could this happen?

You will see from the attached image that the path was:

E:\MSG\Images EPS-global\AVHRR-B\2020\03\08\2020-03-08_0058_M01_38761.hpt

The Infected process:

[10768] E:\Tools\SatSignalMetopManager-B\MetopManager-B.exe

I find this rather worrying.
I don't use this computer for anything else except Windows updates and SatSignal updates 
and Keplar updates. 

Regards,.
John Tellick.

Ernst Lobsiger
 

John,

My guess is that this image accidentally contains a virus signature used by your scanner.
So this would just be a false alarm. Maybe you should not scan EUMETCast images at all.

Ernst

P.S. I'am on GUN/Linux, have no virus scanner at all and limited Windows knowledge too.

David J Taylor GM8ARV 🏴󠁧󠁢󠁳󠁣󠁴󠁿 🇪🇺
 

Dear All,

I run my system 24/7 and it has 'open' Broadband WiFi access all the time.
My anit-virus software stopped an attack early this morning and I surprised to see it was to/in
'EUMETCast.'

How can/could this happen?

You will see from the attached image that the path was:

E:\MSG\Images EPS-global\AVHRR-B\2020\03\08\2020-03-08_0058_M01_38761.hpt

The Infected process:

[10768] E:\Tools\SatSignalMetopManager-B\MetopManager-B.exe

I find this rather worrying.
I don't use this computer for anything else except Windows updates and SatSignal updates
and Keplar updates.

Regards,.
John Tellick.
=====================================

John,

It's as Ernst says - a random string triggering a false alarm. The .HPT files are binary, so they can contain almost any sequence, and just such a sequence has triggered the alarm.

To check, send the affected file (if you can recover it) to one or more online scanners such as:

http://virusscan.jotti.org/
http://www.virustotal.com/

You can do that with my programs too just to be sure. These sites use multiple scanners, so you may find that just one scanner out of a dozen detects something. You then decide who you believe or trust!

Cheers,
David
--
SatSignal Software - Quality software for you
Web: http://www.satsignal.eu
Email: david-taylor@...
Twitter: @gm8arv

geojohnt@...
 

Ernst,

Thanks for your helpful comments.
and getting back quickly.

Regards,
John.

++++++++++++++


-----Original Message-----
From: Ernst Lobsiger via Groups.Io <ernst.lobsiger@...>
To: MSG-1 <MSG-1@groups.io>
Sent: Sun, 8 Mar 2020 11:57
Subject: Re: [MSG-1] Attempted EUMETCast system virus attack?

John,


My guess is that this image accidentally contains a virus signature used by your scanner.
So this would just be a false alarm. Maybe you should not scan EUMETCast images at all.

Ernst

P.S. I'am on GUN/Linux, have no virus scanner at all and limited Windows knowledge too.

geojohnt@...
 

David,

Thanks for your comments and suggestion.

I've had a look in today's Metop B image folder and the specific .hpt files is missing 
but the 20-03-08 _0058_M01_38761.thumb file remains. 
I've scanned that and it says it's OK.

The suspect .hpt file remains in quarantine and to copy and/or get it out of quarantine 
it appears that I have to restore it.
Which I'm not really happy to do.
The fact that it says "Trojan.KillMBR.G" filled me with horror.

But, having said that, EUMETCast files are presumably scanned before being sent?
And are not sent over the Internet - in our case - so that stream must be secure.

It's just the fact that WiFi and the Internet are 'connected' 24/7, I wasn't sure if that was 
a factor.

Ernst raised an interesting point, does EUMETCast even need to go through virus software?

If it's safe to restore the file - presumably to the Metop-B image folder - then I could 'send it off.'

Regards,
John.

+++++++++++++++++++

John,


It's as Ernst says - a random string triggering a false alarm.  The .HPT 
files are binary, so they can contain almost any sequence, and just such a 
sequence has triggered the alarm.

To check, send the affected file (if you can recover it) to one or more 
online scanners such as:

  http://virusscan.jotti.org/
  http://www.virustotal.com/

You can do that with my programs too just to be sure.  These sites use 
multiple scanners, so you may find that just one scanner out of a dozen 
detects something.  You then decide who you believe or trust!

Cheers,
David
-- 
SatSignal Software - Quality software for you
Web: http://www.satsignal.eu
Email: david-taylor@...
Twitter: @gm8arv 


-----Original Message-----
From: David J Taylor via Groups.Io <david-taylor@...>
To: msg-1 <msg-1@groups.io>
Sent: Sun, 8 Mar 2020 14:27
Subject: Re: [MSG-1] Attempted EUMETCast system virus attack?

Dear All,

I run my system 24/7 and it has 'open' Broadband WiFi access all the time.
My anit-virus software stopped an attack early this morning and I surprised
to see it was to/in
'EUMETCast.'

How can/could this happen?

You will see from the attached image that the path was:

E:\MSG\Images EPS-global\AVHRR-B\2020\03\08\2020-03-08_0058_M01_38761.hpt

The Infected process:

[10768] E:\Tools\SatSignalMetopManager-B\MetopManager-B.exe

I find this rather worrying.
I don't use this computer for anything else except Windows updates and
SatSignal updates
and Keplar updates.

Regards,.
John Tellick.
=====================================





David J Taylor GM8ARV 🏴󠁧󠁢󠁳󠁣󠁴󠁿 🇪🇺
 

David,

Thanks for your comments and suggestion.

I've had a look in today's Metop B image folder and the specific .hpt files is missing
but the 20-03-08 _0058_M01_38761.thumb file remains.
I've scanned that and it says it's OK.

The suspect .hpt file remains in quarantine and to copy and/or get it out of quarantine
it appears that I have to restore it.
Which I'm not really happy to do.
The fact that it says "Trojan.KillMBR.G" filled me with horror.

But, having said that, EUMETCast files are presumably scanned before being sent?
And are not sent over the Internet - in our case - so that stream must be secure.

It's just the fact that WiFi and the Internet are 'connected' 24/7, I wasn't sure if that was
a factor.

Ernst raised an interesting point, does EUMETCast even need to go through virus software?

If it's safe to restore the file - presumably to the Metop-B image folder - then I could 'send it off.'

Regards,
John.
======================================

John,

It's safe to restore the file and send it off.

It's also safe to exclude the EUMETCast data directory tree from virus scanning, as only data files live there. It may also avoid lost data due unnecessary CPU load etc. I would also disable Windows Search on that directory tree, and on any processed file tree, unless you specifically need Windows Search on those directories.

Cheers,
David
--
SatSignal Software - Quality software for you
Web: http://www.satsignal.eu
Email: david-taylor@...
Twitter: @gm8arv

geojohnt@...
 

David,

OK, I'll restore it and send it off.

Also look into EUMETCast data not being virus scanned though I'm not aware of any lost data 'in images' though tc-cast client tells me that I do suffer some Missed Packets before FEC and the number of FEC Recovered Packets no way makes up for this 'loss.'

Also SR1 Controller shows some Bad Frame Count and Bad Packet Count but images don't appear to suffer.  

>I would also disable Windows Search on that 
>directory tree, and on any processed file tree, unless you specifically need 
>Windows Search on those directories.

Er, um!
I don't think I've ever used that option since I've no idea how to.
Likewise, I wouldn't know how to disable it.

Sorry, I know this is probably basic computer know-how.

Regards,
John.

++++++++++++++++++++++++++

John,


It's safe to restore the file and send it off.

It's also safe to exclude the EUMETCast data directory tree from virus 
scanning, as only data files live there.  It may also avoid lost data due 
unnecessary CPU load etc.  I would also disable Windows Search on that 
directory tree, and on any processed file tree, unless you specifically need 
Windows Search on those directories.


Cheers,
David
-- 
SatSignal Software - Quality software for you
Web: http://www.satsignal.eu
Email: david-taylor@...
Twitter: @gm8arv

+++++++++++++++++++

-----Original Message-----
From: David J Taylor via Groups.Io <david-taylor@...>
To: MSG-1 <MSG-1@groups.io>
Sent: Sun, 8 Mar 2020 19:53
Subject: Re: [MSG-1] Attempted EUMETCast system virus attack?

David,

Thanks for your comments and suggestion.

I've had a look in today's Metop B image folder and the specific .hpt files
is missing
but the 20-03-08 _0058_M01_38761.thumb file remains.
I've scanned that and it says it's OK.

The suspect .hpt file remains in quarantine and to copy and/or get it out of
quarantine
it appears that I have to restore it.
Which I'm not really happy to do.
The fact that it says "Trojan.KillMBR.G" filled me with horror.

But, having said that, EUMETCast files are presumably scanned before being
sent?
And are not sent over the Internet - in our case - so that stream must be
secure.

It's just the fact that WiFi and the Internet are 'connected' 24/7, I wasn't
sure if that was
a factor.

Ernst raised an interesting point, does EUMETCast even need to go through
virus software?

If it's safe to restore the file - presumably to the Metop-B image folder -
then I could 'send it off.'

Regards,
John.
======================================







David J Taylor GM8ARV 🏴󠁧󠁢󠁳󠁣󠁴󠁿 🇪🇺
 

David,


OK, I'll restore it and send it off.


Also look into EUMETCast data not being virus scanned though I'm not aware of any lost data 'in images' though tc-cast client tells me that I do suffer some Missed Packets before FEC and the number of FEC Recovered Packets no way makes up for this 'loss.'


Also SR1 Controller shows some Bad Frame Count and Bad Packet Count but images don't appear to suffer.


I would also disable Windows Search on that
directory tree, and on any processed file tree, unless you specifically need
Windows Search on those directories.


Er, um!
I don't think I've ever used that option since I've no idea how to.
Likewise, I wouldn't know how to disable it.


Sorry, I know this is probably basic computer know-how.


Regards,
John.
====================================================

John,

Packets refer more to the reception side of TelliCast, your signal Es/No, but can also be affected by computer activity such as disk reads or writes, network I/O, momentary CPU loads, preventing the stream of packets from being received correctly. Normal network communications are via TCP, which allows confirmation of the data transfer. EUMETCast (and standard digital TV) are via UDP, which is a catch it or drop it for the data, with no retransmission in the case of error.

Much of my software will - by default - overwrite old images with new, so you may be unaware of data loss on the "output" side of TelliCast, unless you monitor the log files from TelliCast or the Manager software.

Disabling Windows Search on particular directories:

https://www.howtogeek.com/howto/windows-vista/speed-up-or-disable-windows-search-indexing-in-vista/

Cheers,
David
--
SatSignal Software - Quality software for you
Web: http://www.satsignal.eu
Email: david-taylor@...
Twitter: @gm8arv