Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 6 subscribers
  • Views 1791 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Threat: Four On detected.....

ezkl2230

For some time I have been getting the following warning: "com.sophos.intercheck: 2012-07-31 13:40:27 -0400 Threat: 'Four On' detected in /private/tmp/xxxxxxxx.$$$"  The warning and related file disappears within moments.  I have been unable to trace the source of this threat, and information on line regarding Four On is sparse.

Any input to help me track this down and remove it will be appreciated. 

:1008662


This thread was automatically locked due to age.
  • 0

    Wow... if you ever get a sample to sit still, please submit it to the Sophos website!

    Can you set on-access scanning to deny access and move threat, to copy it to another folder (one that's excluded from on-access scans) as soon as it's detected?  Then submit the resulting file via our online submission form.

    This is almost certainly an FP, unless somehow something is creating a temporary file repeatedly which contains a Windows virus (not trojan) from 1994....  Once we've got a sample and can see what's going on, we should be able to patch the detection identity quickly.

    :1008666
  • 0

    I am trying to send this to you, and I have my preferences set up to move the threat to another folder, but every time this happens, the program delets the file and leaves the following comment in the log file:  "Issue moving threat to folder."  The threat always occurs in the same folder, private/tmp.

    Any suggestions regarding how to capture this thing would be appreciated.  As I said, I have all of my preferences set to simply move the threat to another folder - NOT remove it.

    :1011472
  • 0

    I am trying to send this to you, and I have my preferences set up to move the threat to another folder on a drive not scanned by Sophos, but every time Four On is detected by the program I receive the message,  "Issue moving threat to folder," and Sophos deletes the infected file  The threat always occurs in the same folder, private/tmp.

    Any suggestions regarding how to capture this thing would be appreciated.  As I said, I have all of my preferences set to simply move the threat to another folder - NOT remove it.  This is becoming VERY frustrating.  Either this is a very well-engineered piece of malware, or there is a problem with Sophos and its ability to handle this virus in accordance with my preferences.

    :1011700
  • 0

    Hi,

    If you have been unable to 'catch' the temp file as its being created the next step would be to try and reproduce exactly what situation causes it.

    Its unclear from your previous messages if this happens hourly / daily / weekly / monthly but more information around what exactly your machine is doing at the time the message pops up would be useful.

    :1011714