Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 10 subscribers
  • Views 9311 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Case ID: 8023819

Ganesh Rathore

Hi,

Could you please check case ID 8023819 this Case is open on 5th April 18, but not resolved yet now. Sophos is not support on mail and telephonic also 



This thread was automatically locked due to age.
Parents
  • 0

    Hi Ganesh,

    It looks like support have been helping you since you logged a case; here is a summary of my understanding based on the support case:

    • Sophos detected some malware in a file keygen.exe
    • Although we detected the malware, and removed it reports keep occuring
    • The source of the infection appears to be different machines
    • You would like assistance on how to clear this threat

    It will be very difficult to offer more help via the community than the assistance support can offer. The challenge appears to be that either; the malware is sourced somewhere that Sophos isn't installed/can't clean, or, users keep introducing the malware. 

     

    If it is the former, you will need to ascertain the source of the malware, isolate the device and remove the infection; if it is the latter, then user education is required. 

    Please do provide more information if you can, although I reiterate that support are in a much better position to assist you.

    Regards,

    Stephen

Reply
  • 0

    Hi Ganesh,

    It looks like support have been helping you since you logged a case; here is a summary of my understanding based on the support case:

    • Sophos detected some malware in a file keygen.exe
    • Although we detected the malware, and removed it reports keep occuring
    • The source of the infection appears to be different machines
    • You would like assistance on how to clear this threat

    It will be very difficult to offer more help via the community than the assistance support can offer. The challenge appears to be that either; the malware is sourced somewhere that Sophos isn't installed/can't clean, or, users keep introducing the malware. 

     

    If it is the former, you will need to ascertain the source of the malware, isolate the device and remove the infection; if it is the latter, then user education is required. 

    Please do provide more information if you can, although I reiterate that support are in a much better position to assist you.

    Regards,

    Stephen

Children
  • 0 in reply to StephenMcKay

    Hi Stephen,

     

    Thanks for your reply 

    as per your reply, we remove the keygen.exe file many times but it comes again and this file makes multiple copies of the keygen.exe file which is in a zip file.

    we clear these machines which are showing by the source of infection {we format these machines} 

    as per Sophos instruction, we are doing all R&D which they told us, but now the issue is same and it's spreading on multiple servers 

     

    please let us know how could I resolve this

     

    Regards

    Ganesh Rathore 

    Thanks & Regards

    Ganesh Singh Rathore

    Contact No. +919530179379            

    Email: ganesh.rathore@vglgroup.com     

    Skype: ganeshsr@hotmail.com         

  • 0 in reply to Ganesh Rathore

    Hi Ganesh,

    The key comment you made was this 'we remove the keygen.exe file many times but it comes again'

    We need to ascertain how the file is getting re introduced to your estate; as this is different machines it is unlikely to be resident in shadow volume or other local stores. 

    Are the detections on Computers or Servers?

    Regards,

    Stephen

  • 0 in reply to StephenMcKay

    Hi Stephen,

     

    These detections are showing on Server machines which are Windows Server 2012R2

    these servers HDD is shared in our network which is used for fileserver for data sharing.

    and as per SOI, we clean those machines which are showing the error, and then we are running again SOI then it shows us different machines. 

    we cleaned 7-8 machines in our network and we are using all licenses software then how it comes and how could we clean this?

     

    Regards

    Ganesh Rathore 

     

     

    Thanks & Regards

    Ganesh Singh Rathore

    Contact No. +919530179379            

    Email: ganesh.rathore@vglgroup.com     

    Skype: ganeshsr@hotmail.com         

  • 0 in reply to Ganesh Rathore

    Hello Ganesh and Stephen,

    excuse me for chiming in. I'm not Sophos so I don't have any insight into the case.

    Apparently cleaning of obviously affected (without details I can't say if they are infected in the sense that the malware is active on them and not just present in a file) machines doesn't help. In such cases a structured and systematic approach is essential.
    First of all - do you have unprotected (and/or unmanaged) computers in your network?
    If reimaged machines contract the malware shortly after you should run the Source Of Infection tool (I understand that Support has already suggested it) from the start. The question is whether this keygen.exe is written by a local process or dropped over the network. In the former case the process has to be investigated. If it's "unknown" but its image hasn't triggered a detection you should obtain a sample and send it in. If dropped then the question is - what is running on the machine that drops it?
    Assuming it's not your users reintroducing this "thing" it's likely either an unprotected (either no suitable AV or AV effectively, e.g. inappropriate exclusions -  turned off) machine or some rogue process that does not yet trigger a detection).

    Christian

Unfiltered HTML