Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 1 answer
  • Subscribers 10 subscribers
  • Views 3147 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why 10 threat cases have been created for single malware in e-mail attachment

Nikola Djurdjevic

Hi all,

 

I have noticed, that sometimes 10 threat cases are created for single malware in e-mail attachment.

One user has received e-mail which contains Trojan in attachment. It is blocked by Sophos and Threat Case is created.

However, it seams that every 3 minutes new Threat Case is created for same file. We have multiple cases like this and it seams it creates 10 threat cases per malware.

I don't know is it related to Microsoft Outlook refresh interval but it creates a lot of duplicate Threat Cases.

How Threat Case is created and why do we have 10 threat cases for single e-mail ?

 

Thank you in advance,

Nikola Djurdjevic



This thread was automatically locked due to age.
Parents
  • 0
    I always just download twice in the event of a corrupted file I delete twice !

    Ken A Wright: wrightakencom

  • 0 in reply to wrightakencom

    Hello 

    Than you for you reply. 

    That is OK. In Events, I have detected file twice and I have deleted twice, but why then I have 10 threat cases instead of 2 ? 

     

    Here is the most recent case of this morning. 

    Same story, e-mail with malware in attachment.  Sophos detected it and deleted it. Note that he has detected it in 8:06 AM and deleted at 8:07 AM. So single file detection, single file deletion. 

    However I still have 10 threat cases for same issue. Each of them is created in period of 2 minutes.

    If I open the first one (in set of ten, created at 08:09 AM) we will see that here is an malware in attachment. 

    If I open the last one created (8:27 AM).

    We will see that the same file is making problems. This same file is also in remaining 8 cases which I didn't put their pictures here.

    This also raise a question: Why threat case is created at 8:27 when file has been deleted at 8:07AM ?

    If there are some caching issues with Outlook, in sense that that new file is created just after it has been deleted, than we should see that  in Events tab. Why we don't see all events in Evets tab?

    So, I'm facing with doubt, ether Threat Case Analysis Center creates duplicate cases or Events are not registered (presented) correctly or something third. 

    Kind regards, 

    Nikola

     

     

     

     

     

  • 0 in reply to Nikola Djurdjevic

    Hello  

    Just curious, how does the Events window look like on the Device itself? To see this, locate the Sophos icon from the Systray and double click it. From there you can click on Events. Look under Malware and PUAs (click All Sources to get to this). Trying to see if there are more detections coming up there or any failures with cleanup.

  • 0 in reply to DianneY

    Hi DianneY, 

     

    sorry for late response. I could not provide you detals form Events tab on users PC. I could not reach user. (busy, holiday etc.)

    However, the same case occurred on new machine again. 

    7 threat cases have been created on each 3 min

    There is single registration of malware in events on Sophos Central.

    There is single registration of malware in Events on Sopsho Client on user's PC.

     

    Question: Why do I have several threat cases generated for same malware when there was only one detection of malware ?

  • 0 in reply to Nikola Djurdjevic

    Hello  

    I researched this issue with previous tickets and found that it is possible that what may be happening is a timing issue where the email client being used is triggering the detection (via read, write and rename functions of On-Access scanning), so you have a point there, when you mentioned it may have something to do with Outlook refresh interval. This is all pure speculation at this point. I would advise to raise a Support Case for further review. Support will request for SDU logs primarily to check the SAV.txt file for the detections, check your Central dashboard for the threat cases, and may ultimately request Process Monitor Logs.

  • 0 in reply to DianneY

    Are there any news about this topic? I saw the same issue today.

    Problem here is that it didn't stop at 10 entries. Evers 3 minutes a case is created. Pls help.

Reply Children
Unfiltered HTML