Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 1 subscriber
  • Views 49503 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Pagefile.sys virus - False positive?

toddh

Hey,

I have a Sophos client reporting the following as multiple different viruses:

Virus/spyware Not cleanable Mal/Iframe-F \\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy13\pagefile.sys
Virus/spyware Not cleanable Mal/Badsrc-C \\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy13\pagefile.sys
Virus/spyware Not cleanable Troj/Fujif-Gen \\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy13\pagefile.sys
Virus/spyware Not cleanable Troj/Iframe-CG \\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy13\pagefile.sys
Virus/spyware Cleanup failed Troj/Badsrc-M \\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy13\pagefile.sys


This showed up the same day as the now infamous Shh/Updater-B False positives

At first I ignored it because I figured it would start to show on multiple computers, but it didn't.

It only showed on a single computer so now I am not sure if this is a false positive or not. Can the pagefile.sys get infected by a virus?

Has anyone seen the behavirous before? And if so, should I take action to clean it? Or can it be ignored as a false positive?

Thank you.

:33137


This thread was automatically locked due to age.
  • 0

    Please submit the file to labs for confirmation, at this point i would be cautious about deleting it from disk, currently it should be quarantined as it is in the logs

    Once you hear back from the SophosLabs you will be in a better position to decide. The Troj and Mal headers suggest they are malicious due to a different detection than the infamous 'Shh/Updater-B detection which is listed as:

    “Virus/spyware 'Shh/Updater-B' has been detected in "C:\Program Files\Sophos\AutoUpdate\ALsvc.exe".”

    HTH

    :33139
  • 0

    Hello toddh,

    normally pagefile.sys is not "deep-scanned", also note that the path refers to a ShadowCopy. Same day is likely coincidence.

    I'd say it's not a FP - but the path information could be incorrect (perhaps caused by the shadowing in progress). If you can spare the resources run a full scan (make sure it checks files with no extension - I'd expect these threats to be found in a browser cache).

    Christian

    :33153
  • 0

    @JoltBolt

    Thanks for your reply.

    You are right that it is reporting a totally different, I thought perhaps that it could be related.

    I will attempt to submit a file.

    I feel a little dumb here as I do not know exactly how to locate this file, but I will hunt around.

    @QC

    Thank you for your reply.

    After seeing that no other computers received this message I was thinking it was probably coincidence as well.

    I will run a full scan on the system as you suggested and see what I get back.

    Cheers

    :33159
  • 0

    Hello,

    So I ran two scans. One with Sophos and one with another piece of software and each came back negative.

    Now I am a little big confused... Perhaps QC you are correct that the original files were in browser cache and have since been deleted.

    I am not sure though. I will have to do some further checking on this system to make sure it is actually clean.

    thank you

    :33207
  • 0

    Thought I should resurrect this thread having encountered an admittedly very few (less than 10 from about 4000 clients during several weeks) similar detections lately (both on 10.0 and 10.2). All in a shadow copy, not all in one of pagefile.sys though (a tmp.ebd belonging to MS Search is another example). Detections are Mal/EncPK-xx, Troj/Badsrc-xx.

    I'm not yet incined to take this to Support given the prevalence of this spurious detections.

    Christian

    :34813
  • 0

    Hi QC,

    Yes so far I have only had one instance of this detection.

    It is still showing on my console so it defintiely not a false positive. Although I am not entirely sure what it is.

    I have run other scans against the system using software like malwarebytes and all have come back negative.

    I found this from symantec How to clear the volumeShadow (sorry for posthing a link to another anti-virus company, hopefully this is okay. If not I'll remove it).

    I am inclined to try just deleting the offending VolumeShadow and see if that successfully clears the detection

    :34815
  • 0

    Hello Todd,

    just to make sure I'm not misreading your post: It is still showing on my console - AFAIK once reported to the console an alert is only cleared if

    • an automatic cleanup is already in progress and the client reports successful completion
    • a cleanup/delete is requested (locally or from SEC) and the client reports successful completion
    • the alert is acknowledged (locally or from SEC)

    A subsequent negative scan will not clear the alert. So - does the detection recur?

    As for deletion: I don't think that the deletion is intercepted - only if you open the Quarantine Manager on the client a "rescan" is done and if the threat is not found the alert subsequently removed (but that's just how I think it is).

    Christian

    :34819
  • 0

    Hey QC,

    No confusion.. I don't think.

    Thank you for clarifying.

    I just wanted to add on to this thread since I am still dealing with this same notification.

    Out of curiosity, do these items show on the Sophos client? (if you have been able to check?)

    In my situation, there is no notification on the Sophos client. The SEC is the only indication that there is

    anything wrong.

    And yes, I have tried acknowledging the notifcation only to have it reappear after a full system scan.

    cheers

    :34835
  • 0

    Hello Todd,

    the client I've checked does (or did) have the item in QM. The "offense" also seems to have disappeared as subsequent scans turn up nothing (guess the shadow copy no longer exists anyway).

    Christian 

    :34945