Sun, Apr 24 2005 10:44
Trend Pattern File 2.594 may cause high CPI utilization [is your system pegging the CPU at 100%?]
Pattern File 2.594.00 may cause high CPU utilization
From the bulletin:
Why did this happen?
To protect its customers against the growing threat of the WORM_RBOT family, Trend Micro enhanced the decompression ability of its Pattern File by supporting 3 new heuristic patterns, including UltraProtect decompression, in OPR 2.594.00.
Due to an isolated anomaly in the engineering, development and pattern release process, the UltraProtect decompression may, in certain circumstances, cause some systems to experience high CPU power consumption. This can lead to system instability when this specific file type is scanned using Pattern File 2.594.00.
Hmmm... you know what I want to see though? Something that says "we've put in place "this" to ensure that this anomaly doesn't happen again.
This was definitely a world wide event as I got a link on a Japanese blog, Martin Roesler posted to the Full Disclosure list, and some newspapers in Japan had to resort to fax machines and it's reported in Incidents.org.
About 3:35 PDT in my office, the receptionist buzzed me saying her machine just 'went wacko' and when I went to look at it, it was totally unresponsive. When I went to do a hard reboot and restart, it was totally grinding on 'applying computer settings'. A few minutes later another co-worker walked by the front desk to tell me that he couldn't get to network and that's when I knew something was up. I think fortunately because I have two processors, the server was still a bit responsive as I could get to the event logs and could see no unusual activity. Knowing that the other 'change' introduced into my system is always antivirus, knowing that about a week before the dat file update on my workstation had ground my machine to a halt, I just for whatever reason, wondered if Trend had done something. So I got into the virus dat update log files and sure enough, could determine that the timing of the update matched up with the 'event'. The next step I did is something kinda weird...but it definitely came in handy. I purposely have a wireless connection that goes around my server. I set up a laptop, logged into IM and immediately looked at the folks that were online in my IM listing. Chad's online! I pinged him and asked if his server was doing anything wacko and he confirmed that he was right in the middle of attempting to get his server back into a responsive condition. Bingo. I'm not alone. Then I checked with Super G. About that time Michael C pinged me on IM to ask and sure enough he was seeing it too. About that time Chad said that the SBS2k list was starting to report issue.
I'm relaying this story only to showcase how understanding what changes might be occuring to your system [virus updates], what community resources you have [newsgroups and listserves], and access to the Internet in case of emergencies helps.
Filed under: Security