entirex as a virus haven

I apparently acquired a virus on my pc. It has loaded itself into modules like etbadm and etbnuc inside the bin folder of Entirex.

Apparently this is widely known (but not by me). Just google etbadm or etbnuc.

Now the question. So far as I know, I have never installed Entirex on this computer. I have several SAG products on the computer; Adabas, Natural, Entire Connection, and NaturalOne. Which one would have installed Entirex?

Steve, we have never heard of such an issue. Every workstation/server runs a virus scanner here.
What virus scanner are you using?

EntireX is most likely installed as part of Natural One.

Hi Rolf;

I use Avast. I have several times received a message from Avast that they blocked an attempt from a module (etbadm and etbnuc) to execute.

Although I do have NaturalOne installed, it has been months since I used it. The messages have all been in the last couple of days.

If I have read some of the posts on the web correctly, viruses can use these modules as a hiding place. This is evidenced, say the articles, by the size of the modules. etbadm, say the articles should be 28kb, on my system it is 51kb. My etbnuc is 3.34 mb, whereas the articles say it should be 1.784kb.

I think I will simply uninstall NaturalOne for a “quick fix”, then investigate further.

steve

Hi Steve,

the size if the modules depend on the version of EntireX.

Hi Rolf;

I tracked down the license key. It is indeed part of NaturalOne (license key is in \common\conf\ Saglicensekey one82.xml). Is there anything else in the license key which would indicate to you what the size should be (or should i attach the license key itself)

steve

Hi Steve,

You can check the file properties for the version number.

Hi Rolf;

Sorry, was out of the office most of yesterday.

I have version 8.2.2.0 of WebMethods EntireX

What would be the proper sizes for etbadm amd etbnuc?

steve

Hi Steve,

for version 8.2.2.0 the two modules have the sizes as shown in the attachment. Note that this is for a 32-bit installation of EntireX. Please check if you have a 32 or 64 bit installation of EntireX.

Hi Rolf;

My sizes

etbnuc 3.34 mb
etbadm 51k
etnattr 98.5 kb
etbcmd 74.5 kb

Without firing up entireX, where could I find whether I have the 32 or 64 bit installed?

Needless to say, with everything very suspect, I do not want to start entirex. Could you check my sizes against both 32 and 64 bit?

steve

Looks good, I have (64bit):

etbnuc 3,34 MB (3.511.328 bytes)
etbadm 51,0 KB (52.256 bytes)
etnattr 98,5 KB (100.896 bytes)
etbcmd 74,5 KB (76.320 bytes)

Thanks Rolf;

Looks like my modules are just as they should be.

Another Question. What might cause an attempt to run etbadm or etbnuc at startup time for my laptop? When I look at my startup list, neither NaturalOne nor EntireX is there.

steve

Steve, have a look at your services, for example

  • Software AG EntireX Broker Admin

is usually autostarted.

Hi again Rolf;

Would the CheckPoint software (from Software Technology Ltd) start EntireX? It is present in the startup list. Not sure why.

steve

Thanks Wolfgang,

See the note above to Rolf. I do not know why, but the Checkpoint Software is on the startup list, although I do not see why this would be.

steve

Hi Steve,

I don’t know what the CheckPoint software is doing. But I doubt that it starts others services.

The Software AG EntireX Broker Admin service mentioned by Wolfgang is running per default (see attachment). You should stop the service and set the Startup type to Manual or Disabled.
service.JPG

Hi Rolf & Wolfgang

I think Wolfgang hit on the proper reason.

Software AG EntireX Broker Admin must have autostart as its option, and probably when you install NaturalOne, part of entirex gets installed as well. I will have to see if I can get to change it since when I click on etbsrv, as you did to get the screen you posted, that screen “blinks”, but does not make itself available. I will play a bit to see if I can get to change it.