Details on Malware Detected not available - dead link

Hello K_M,

all be dead
did happen, is likely not the case though.

There are several reasons that the link doesn't provide a result (in the order of likelihood - my rating):

• a unique name has been associated with a detection but a corresponding analysis hasn't been written (and perhaps never will)
• the nomenclature hasn't been adhered to (threat names have a prefix separated from the name with a / - in an URL this has to be escaped or replaced, previously with a tilde, seems it's now a dash)
• if the link forwarder is used the mapping might not exist or be in error
• search is broken
• there's an issue with the analysis database

Coincidentally if you go to the Sophos Labs page and search the Viruses and Spyware category for Mal/ExpJS you'll get some results.

More often than not the analysis doesn't provide additional practical information though, most have to be taken with more than an ounce of salt.
What information do you expect or need? .

Christian

What is the purpose of making the events in Central hyperlinks then? (that is rhetorical)  Sophos really needs to step up its game before it takes a nose dive like RIM did back in 2011.

I did try your search suggestion and it serves as a workaround for most items.  Thank you.

Hello K_M,

the hyperlinks were "always" there, and long before Central. The URLs are simply http://<ccccc>.<c>.link.sophos.com/<c>/<cc>/ with the URL-encoded threat name (e.g. Mal%2FExpJS-N) appended. link.sophos.com in turn redirects to the analyses pages, again using a simple rule to rewrite the URL.

It seems that my second or third point (or perhaps both) apply at the moment. Following the hyperlink I'm direct to <threatcenterURL>/malexpjsn.html. (apparently any character that is not alphanum simply removed). I've also found direct links to analyses using this format on nakedsecurity (the article is from 2011, this URL format definitely hasn't been used then). The URL obtained via the Labs page end with /Mal~ExpJS-N.aspx (just slash replaced with tilde) though, the format used in the last few years.
Thus indeed none of the hyperlinks works right now. I rarely use them so I can't say when this has started (and naturally I can't say when this will be fixed).

apart from the current problem:
a workaround for most items
for the others the first point applies - there's no analysis. You might have noticed that the Summary is often just a boilerplate text and the Details don't give much insight or additional information.

Christian

Hello K_M,

the hyperlinks were "always" there, and long before Central. The URLs are simply http://<ccccc>.<c>.link.sophos.com/<c>/<cc>/ with the URL-encoded threat name (e.g. Mal%2FExpJS-N) appended. link.sophos.com in turn redirects to the analyses pages, again using a simple rule to rewrite the URL.

It seems that my second or third point (or perhaps both) apply at the moment. Following the hyperlink I'm direct to <threatcenterURL>/malexpjsn.html. (apparently any character that is not alphanum simply removed). I've also found direct links to analyses using this format on nakedsecurity (the article is from 2011, this URL format definitely hasn't been used then). The URL obtained via the Labs page end with /Mal~ExpJS-N.aspx (just slash replaced with tilde) though, the format used in the last few years.
Thus indeed none of the hyperlinks works right now. I rarely use them so I can't say when this has started (and naturally I can't say when this will be fixed).

apart from the current problem:
a workaround for most items
for the others the first point applies - there's no analysis. You might have noticed that the Summary is often just a boilerplate text and the Details don't give much insight or additional information.

Christian

Hi All,

I'll look into this more with our IT team.  I know we have a few items in a tracking system for these URLs.  

• https://www.sophos.com/en-us/security/analyses/viruses-and-spyware/malexpjsn.html - ERRORs
• https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~ExpJS-N.aspx - WORKs

For a quick workaround (not a permanent solution) if you copy the end bit of the URL 'malexpjsn.html' and search, Google does I good job of finding the page (if it does exist)...

The pages are created automatically and if detection are updated/names changed, there can be pages moving about and hence some broken links.  As I said, I'll look into what we can do.