massive mail alerts : dnsapi.dll

Hello,

since this morning we have a lot of alert on PC:

File "C:\Windows\winsxs\Temp\PendingRenames\75f17bdfbd1dd401621600005c0e040d.x86_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.24168_none_e4412749f9de6871_dnsapi.dll_c81f5791" belongs to virus/spyware 'Mal/Generic-S'.

 

If we open the status of a PC in the console we have this entries:
Items detected Date/time Type Name Sub-type Details Reference Action taken Username 
17/07/2018 09:18:02 Virus/spyware Mal/Generic-S C:\Windows\winsxs\Temp\PendingRenames\da32d2489e1dd40162160000a001140c.x86_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.24168_none_e4412749f9de6871_dnsapi.dll_c81f5791 Removed from quarantine listNT AUTHORITY\SYSTEM
17/07/2018 09:17:57 Virus/spyware Mal/Generic-S C:\Windows\winsxs\Temp\PendingRenames\da32d2489e1dd40162160000a001140c.x86_microsoft-windows-dns-client_31bf3856ad364e35_6.1.7601.24168_none_e4412749f9de6871_dnsapi.dll_c81f5791 Blocked NT AUTHORITY\SYSTEM

If I do a manual scan, nothing detected. Is there a chance of a false positive?

All the best.

  • We are investigating this at the moment. Can you tell me if you are still getting new alerts now?

  • We are getting the same alert from Sophos here.  It seems like a false positive on that dll, which looks like it is being updated as part of a Windows Update.

  • In reply to BPAC_NM:

    Can you tell what Windows Updates were pushed out today.

     

    Also other than the detection is there any impact caused by this? does the Windows Update break for example?

  • In reply to PeterM:

    no more alerts since 1 hour ;-) maybe a new signature.

  • Same thing here with my Windows Update test machines. Is Sophos looking into this?

  • In reply to PeterM:

    We pushed out this months batch of Windows Updates, and we only saw it on our Windows 7 installs (all x64).

    Doesn't appear to be affecting the computers as far as I can tell, plus we haven't had any more alerts since the initial batch all between 12:04pm and 12:08pm.  Enterprise Console isn't listing any computers with alerts, so maybe it was just a temporary moment of confusion.

  • In reply to BPAC_NM:

    The following KBA has been published to track updates: https://community.sophos.com/kb/en-us/132417

    The issues is believed to be resolved. Other than alerts being reported there was no known impact caused by this issue.