Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 6 subscribers
  • Views 12773 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

"Antivirus Disable Notfiy"

Linn10

Greetings

A month ago, I helped a friend clean up his XP Pro computer. He had his own AV, and Windows kept pestering him to install an AV, so I disabled the anti-virus notify.

The other day, he was infected with the FBI MoneyPak ransomware. I got rid of it pretty easily by doing a system restore. Then I scanned with every tool  I could find, including Sophos virsu removal tool, V 2.3, which found a few instances of "RansomWare" which I could only assume was the MoneyPak.

In the log, one instance was listed as in a restore folder, which is to be expected. But another instance was in a registry file. Sophos listed the ransomware "in" a file called "Antivirus Disable Notify". Is this possible?

This really confuses me; can anyone explain?  It also makes me feel personally responsible for getting my friend infected.

Thanks.

:40227


This thread was automatically locked due to age.
  • 0

    Hello Linn10,

    sticking my neck out (I don't have inside knowledge, the following is deduced from observation): Apart from the actual malware (which is an executable and does the "dirty work") a threat might also come with associated "supporting files" and make changes to the system. These might or might not (they could sometimes be legitimate and unrelated) be indicative for the specific threat. If they are they trigger a detection in their own right - if not they might be flagged (and sometimes reverted during cleanup) in response to a threat found. An example of such a change is the replacement of the Task Manager in the registry (e.g. Process Explorer does this when requested) - it is not flagged unless a threat is found which is known to make such a change (at least in some cases).

    As this own AV did not interface with the Security Center turning off the notification likely did not facilitate the infection - but as consequence of the detection other items which might be related to or created by the threat are reported.

    HTH

    Christian

    :40261
  • 0

    I see...(I think)

    Are you saying that Sophos found some files related to the ransomware, and then it found that the AV notification was turned off, so it made the connection between the 2 for me - in one step, and it blamed the AV notification disabling on the ransomware, instead of on me (who was the actual culprit)?.

    ...or... that it noticed that the AV notify was disabled, and since the latest ransomware is known to turn off the av notification, then it assumed that it was ransomware that did it?

    Funny it didn't mention ransomware anywhere else.

    Thanks!

    :40287
  • 0
    Hello Linn10,

    I might have misread you (maybe I shouldn't have made a guess without knowing the exact details). So without the exact sequence of events, the items (file, registry, ...) and detection name I can't offer a more precise explanation. One remark though - how should Sophos (some piece of software in general or even a human expert) be able to tell who made some change?

    Christian
    :40293
  • 0

    LOL...we do have a communicaion problem, partly because I don't understand enough to ask coherently.

    The scan results showed something very much like this:


         "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\SECURITYCENTER\*\*anitvirusdisablenotify\ransomware

    IOW, it found ransomware IN the regsitry file. I edit the registry from time to time (after backing it up), but I don't really know how it works; I think I assumed it was more like "Settings" than "Files"..

    I imagine the confusion comes from Sophos' syntax in the scan results. Maybe littel people like me aren't SUPPOSED to know exactly what happened! ;-)

    :40309
  • 0

    It was probabaly flagged as the ransomware (as well as other types of malware/scareware/ransomware) commonly changes entries in the registry as its method of controlling your computer. 

    The "auto notify antivirus disabled" registry entry is a common entry changed by infections as they usually disable your existing AntiVirus software and don't want Windows continually telling you it has been disabled.  LIkewise they may change it and have it pop up, then add their popup to it stating you are infected, need to purchase their cleaner to clean.. yada yada yada.

    So it doesn't surprise me that it flagged that reg key. 

    I would assume (assume as I am not 100% sure of the way Sophos works) - I would assume that Sophos compared the existing reg key against its database and noticed a discrepency as the regkey had been changed, or maybe it checked the modified date of the regkey.. something to that effect.

    :40543