Case ID: 8023819

Hi Ganesh,

It looks like support have been helping you since you logged a case; here is a summary of my understanding based on the support case:

• Sophos detected some malware in a file keygen.exe
• Although we detected the malware, and removed it reports keep occuring
• The source of the infection appears to be different machines
• You would like assistance on how to clear this threat

It will be very difficult to offer more help via the community than the assistance support can offer. The challenge appears to be that either; the malware is sourced somewhere that Sophos isn't installed/can't clean, or, users keep introducing the malware. 

If it is the former, you will need to ascertain the source of the malware, isolate the device and remove the infection; if it is the latter, then user education is required. 

Please do provide more information if you can, although I reiterate that support are in a much better position to assist you.

Regards,

Stephen

Hi Stephen,

Thanks for your reply 

as per your reply, we remove the keygen.exe file many times but it comes again and this file makes multiple copies of the keygen.exe file which is in a zip file.

we clear these machines which are showing by the source of infection {we format these machines} 

as per Sophos instruction, we are doing all R&D which they told us, but now the issue is same and it's spreading on multiple servers 

please let us know how could I resolve this

Regards

Ganesh Rathore 

Hi Stephen,

Thanks for your reply 

as per your reply, we remove the keygen.exe file many times but it comes again and this file makes multiple copies of the keygen.exe file which is in a zip file.

we clear these machines which are showing by the source of infection {we format these machines} 

as per Sophos instruction, we are doing all R&D which they told us, but now the issue is same and it's spreading on multiple servers 

please let us know how could I resolve this

Regards

Ganesh Rathore 

Hi Ganesh,

The key comment you made was this 'we remove the keygen.exe file many times but it comes again'

We need to ascertain how the file is getting re introduced to your estate; as this is different machines it is unlikely to be resident in shadow volume or other local stores. 

Are the detections on Computers or Servers?

Regards,

Stephen

Hi Stephen,

These detections are showing on Server machines which are Windows Server 2012R2

these servers HDD is shared in our network which is used for fileserver for data sharing.

and as per SOI, we clean those machines which are showing the error, and then we are running again SOI then it shows us different machines. 

we cleaned 7-8 machines in our network and we are using all licenses software then how it comes and how could we clean this?

Regards

Ganesh Rathore 

Hello Ganesh and Stephen,

excuse me for chiming in. I'm not Sophos so I don't have any insight into the case.

Apparently cleaning of obviously affected (without details I can't say if they are infected in the sense that the malware is active on them and not just present in a file) machines doesn't help. In such cases a structured and systematic approach is essential.
First of all - do you have unprotected (and/or unmanaged) computers in your network?
If reimaged machines contract the malware shortly after you should run the Source Of Infection tool (I understand that Support has already suggested it) from the start. The question is whether this keygen.exe is written by a local process or dropped over the network. In the former case the process has to be investigated. If it's "unknown" but its image hasn't triggered a detection you should obtain a sample and send it in. If dropped then the question is - what is running on the machine that drops it?
Assuming it's not your users reintroducing this "thing" it's likely either an unprotected (either no suitable AV or AV effectively, e.g. inappropriate exclusions -  turned off) machine or some rogue process that does not yet trigger a detection).

Christian