Issue:

The file 'tmp.edb' and other '.edb' files generate an unexpected detection

Example

File "C:\Windows\security\database\tmp.edb" belongs to virus/spyware 'Mal/ZboCheMan-A'.

When the location is investigated, the file often no longer exists.

Locations reported:

%windir%\Security\Database
%windir%\SoftwareDistribution\Datastore\Logs


Cause:


The .EDB file extension identifies an Exchange Information Store Database file which belongs to the Microsoft Exchange mail server product. This file type stores information relating to the e-mail databases created by Microsoft Exchange.

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb is a system file and can be excluded from scans.


Windows security database files ('.edb') may be scanned as part of behavior monitoring i.e Realtime Scanning. 

These files can contain a structure that the Realtime scanner may interpret as malicious whilst the file is in transitional state. 


Solution:

It is recommended to list these files in Exclusions.

Microsoft have created an article detailing their suggestions for exclusions, we suggest that these are added only when necessary.

http://support.microsoft.com/kb/822158