Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 10 subscribers
  • Views 2427 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Late detection of malware

David Lewis1

Hi,

 

We're running managed instance of Sophos SEC on our servers. Our most recent on-demand scan (which is run weekly) detected and removed the following files from one of our servers:

Upon investigation, we determined that these files were most likely installed on the server by penetration testers during the last pentest. However, the last pentest was in March 2018. Is there any way to determine why these files were not detected by Sophos until our most recent scan? It appears that the definitions for these threats have been in the Sophos database since at least June 2018, and we keep all our definition files up to date with compliance auditing via Nessus.

 

Thanks

David



This thread was automatically locked due to age.
  • 0

    Do you still have the files as they are detected?  I would suggest sending them in to the labs as a sample for more info.  They can tell you when they were detected and how.

    It could be that originally they may have been picked up a run time using HIPS/live protection and if they weren't actually run just dropped these methods wouldn't have had a chance to convict the files.  Maybe later more generic detection was added that could detect them statically hence the later detection.

    Also, on-access scans don't have scan inside archives so they wouldn't be picked up at run-time unless unpacked if they are archive files.  Scheduled scans are more likely to have scan inside archives so could pick them up.  

    Regards,
    Jak

  • 0 in reply to jak

    We do not have the files, as the Sophos instance that detected them was configured to clean up the files without keeping a quarantine copy. All of the files were .ps1 scripts sitting in a directory on the main drive of the server.

     

     

  • 0 in reply to David Lewis1

    I don't recognise the product from that screenshot.  Is there any chance anything has a hash of the files that you could use to enquire SophosLabs with?

  • 0 in reply to David Lewis1

    Hello David Lewis1,

    the detections aren't new, the most recent of them, Troj/MimiK-B, is from July 2018. Thus the files should have been detected long since.
    The Antivirus logs (SAV.txt, SAV_yyyymmdd.txt in %ProgramData%\Sophos\Sophos Anti-Virus\logs\) contain the scan summaries including potential detections and errors but unfortunately no details of its configuration (most notably exclusions).

    Christian

  • 0 in reply to QC

    So to be clear:

    Unless there was an exception in place in our Sophos client, the anti-virus should have been able to detect these files for approximately six months?

     

    v/r

    David

  • 0 in reply to David Lewis1

    Hello David,

    yes, for Troj/MimiK-B. The other two are much older, Troj/Bdoor-BHB is from April 2017.

    Christian

Unfiltered HTML