VBS/Virus.invadesys.(253879) - Potential False Positive?

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

VBS/Virus.invadesys.(253879) - Potential False Positive?

Not applicable


Recently, on some of our clients we have been seeing the same threat / virus appear. The name is VBS/Virus.invadesys. and the ID is 253879.

Some interesting things to note...

  1. The file-name is ALWAYS a bookmark file ending in .url
  2. All of the files sound VERY generic.

Small sample of some URLs...

  • "Guide Entertainment Network.url"
  • "Monitor Tool 2008.url"
  • "IE site on Microsoft.com.url"
  • "Windows Media Showcase.url"
  • "Welcome to IE7.url"

Upon further investigation, it seems that these files come pre-packaged with IE7, as seen with one of the above URLs.

So my question is, has anyone else seen an abundance of these alerts in the recent days?


L7 Applicator

False positives for threat ID 253879 have been confirmed. Fix targeted through AV release 1076.

Hi achitwadgi,

Thanks for the information. Any idea when this update will be available for download? I just checked on the PA devices, and it is not showing yet.

Also, where did you obtain this information? I cannot find it anywhere.

Hi, current AV version available is 1075. 1076 should go out later today.

L7 Applicator


AV 1076 was just released, we are testing again with a couple of links. Will update this thread shortly.

AV 1076 is still triggering alerts on this threat id 253879 for URLs such as support.microsoft.com/kb/2123563.

This issue has been reopened with PAN threat team and is being further investigated.

A problem was discovered with the signature and this is being addressed with the combination of AV update today and the app+threat content update that is targeted for release on Tuesday Aug 13.

Thanks for the updates on this issue! Smiley Happy

I have just received a report from a customer running 1078, that he has this false positive as well. Guess we are not quit there yet.

Please ensure that in addition to the latest AV package, you are also running apps+threat version 388 or newer.

I am running Apps and Threats version 388 antivirus version 1078 and am still reviving these alerts. Interestingly the threat ID and name are not present in the threat vault.

Maybe the signature needs additional tuning. If you suspect this to be a false positive alert, can you please open a support case with the threat log screenshot & sample/url/threat pcap and 'show system info' output?

  • 11 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!