Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 10 subscribers
  • Views 3142 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why 10 threat cases have been created for single malware in e-mail attachment

Nikola Djurdjevic

Hi all,

 

I have noticed, that sometimes 10 threat cases are created for single malware in e-mail attachment.

One user has received e-mail which contains Trojan in attachment. It is blocked by Sophos and Threat Case is created.

However, it seams that every 3 minutes new Threat Case is created for same file. We have multiple cases like this and it seams it creates 10 threat cases per malware.

I don't know is it related to Microsoft Outlook refresh interval but it creates a lot of duplicate Threat Cases.

How Threat Case is created and why do we have 10 threat cases for single e-mail ?

 

Thank you in advance,

Nikola Djurdjevic



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to DianneY

    Hi DianneY,

    thank you for your feedback. I will check the reference you gave me.

    First 10 are for one device while the other 10 are for another device. The common for both is that they have received e-mail with malware in attachment. So, two users on two different machines receives two different e-mails with two different malwares. For each mail 10 threat cases have been created. If I would go trough each I would see that they point to same file. The interesting thing is that each case is created in timespan of 3 minutes. It is not possible that User have opened the same file 10 times in each 3 minutes.

    Sorry for picture sizes. I have made a screenshot (big pictures) but somehow they are small on this question editor.

    Kind regards,

    Nikola

  • 0 in reply to Nikola Djurdjevic

    Hello  

    Does it also show the same detections in the Devce's Events tab in Central?

     

    Thanks,

  • 0 in reply to DianneY

    For each device in Events tab says that Malware is detected twice and than after deleted. So two event for detecting same malware and two events about deleting malware.

    Check pictures below. I hope they will be visible.

  • 0 in reply to Nikola Djurdjevic

    Hello  

    SAV may have been detecting cached copies of the attachment or the email. Check the path that SAV is seeing (which may be some hidden INetCache location) and delete the file. While that might help with cleanup, I would suggest contacting the Support team for further assistance to see if there is something unusual with the Threat Cases being created.

    Thanks,

Unfiltered HTML