Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 6 subscribers
  • Views 7702 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Anti-Rootkit gets many false positives with Microsoft Security Essentials active

Goriya

I noticed that  SAR was finding a lot of hidden files. Looking closer, I noticed that many of them were *my* files, which I was pretty sure should still be there. Sure enough, when I opened up one of the folders in Explorer, there were the files.

At first I thought it might have been because I had run SAR at around the time when Microsoft Security Essentials runs, so I tried again this morning and it still found those files.

Next, I disabled the "Monitor file and program activity on your computer" checkbox in the MSE configuration before starting SAR. This seems to be working fairly well; now most of what I'm seeing is in "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5", which isn't very surprising, though the dialog box warning of possible security threats when I try to open the subfolders in Explorer is a bit alarming, as is the fact that it seems to have crashed in this folder... thankfully, it was just a shell extension that took (well, raised, actually) exception to failure to open some file or other...

:3724


This thread was automatically locked due to age.
  • 0

    Hi,

    We recently updated SAR with and new engine and additional identities. Make sure you are running version 1.5.4 which is the latest one.

    http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

    This will help with the false positives,

    Regards,

    Shai Gelbaum

    Product manager

    :3766
  • 0

    I have just scanned my Windows 7 Home Premium 64 bit system with Sophos Anti Rootkit 1.5.4 while Microsoft Security Essentials real time protection was enabled. This resulted in well over 20 hidden files being detected by Sophos and one or two other Microsoft related files being listed as possible problems. Many of the the files were not hidden in my system.

    This obviously was a concern, but I guessed that they might be false positves so I did a search on the web and found this page. When I disabled MSE real time protection and ran the Sophos ARK again, it detected zero problems.

    Just thought I would mention it as a bit of feedback.

    By the way, I was looking for a 64 bit version of Sophos ARK, but the one I ended up downloading appears to be 32 bit. It was installed in my Programs (x86) folder so i assume that it is 32 bit. Is there a 64 bit version available?

    :5360