Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 6 subscribers
  • Views 12775 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

"Antivirus Disable Notfiy"

Linn10

Greetings

A month ago, I helped a friend clean up his XP Pro computer. He had his own AV, and Windows kept pestering him to install an AV, so I disabled the anti-virus notify.

The other day, he was infected with the FBI MoneyPak ransomware. I got rid of it pretty easily by doing a system restore. Then I scanned with every tool  I could find, including Sophos virsu removal tool, V 2.3, which found a few instances of "RansomWare" which I could only assume was the MoneyPak.

In the log, one instance was listed as in a restore folder, which is to be expected. But another instance was in a registry file. Sophos listed the ransomware "in" a file called "Antivirus Disable Notify". Is this possible?

This really confuses me; can anyone explain?  It also makes me feel personally responsible for getting my friend infected.

Thanks.

:40227


This thread was automatically locked due to age.
Parents
  • 0

    Hello Linn10,

    sticking my neck out (I don't have inside knowledge, the following is deduced from observation): Apart from the actual malware (which is an executable and does the "dirty work") a threat might also come with associated "supporting files" and make changes to the system. These might or might not (they could sometimes be legitimate and unrelated) be indicative for the specific threat. If they are they trigger a detection in their own right - if not they might be flagged (and sometimes reverted during cleanup) in response to a threat found. An example of such a change is the replacement of the Task Manager in the registry (e.g. Process Explorer does this when requested) - it is not flagged unless a threat is found which is known to make such a change (at least in some cases).

    As this own AV did not interface with the Security Center turning off the notification likely did not facilitate the infection - but as consequence of the detection other items which might be related to or created by the threat are reported.

    HTH

    Christian

    :40261
Reply
  • 0

    Hello Linn10,

    sticking my neck out (I don't have inside knowledge, the following is deduced from observation): Apart from the actual malware (which is an executable and does the "dirty work") a threat might also come with associated "supporting files" and make changes to the system. These might or might not (they could sometimes be legitimate and unrelated) be indicative for the specific threat. If they are they trigger a detection in their own right - if not they might be flagged (and sometimes reverted during cleanup) in response to a threat found. An example of such a change is the replacement of the Task Manager in the registry (e.g. Process Explorer does this when requested) - it is not flagged unless a threat is found which is known to make such a change (at least in some cases).

    As this own AV did not interface with the Security Center turning off the notification likely did not facilitate the infection - but as consequence of the detection other items which might be related to or created by the threat are reported.

    HTH

    Christian

    :40261
Children
No Data