Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 1 subscriber
  • Views 49505 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Pagefile.sys virus - False positive?

toddh

Hey,

I have a Sophos client reporting the following as multiple different viruses:

Virus/spyware Not cleanable Mal/Iframe-F \\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy13\pagefile.sys
Virus/spyware Not cleanable Mal/Badsrc-C \\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy13\pagefile.sys
Virus/spyware Not cleanable Troj/Fujif-Gen \\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy13\pagefile.sys
Virus/spyware Not cleanable Troj/Iframe-CG \\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy13\pagefile.sys
Virus/spyware Cleanup failed Troj/Badsrc-M \\.\GLOBALROOT\Device\HarddiskVolumeShadowCopy13\pagefile.sys


This showed up the same day as the now infamous Shh/Updater-B False positives

At first I ignored it because I figured it would start to show on multiple computers, but it didn't.

It only showed on a single computer so now I am not sure if this is a false positive or not. Can the pagefile.sys get infected by a virus?

Has anyone seen the behavirous before? And if so, should I take action to clean it? Or can it be ignored as a false positive?

Thank you.

:33137


This thread was automatically locked due to age.
Parents
  • 0

    Hello Todd,

    just to make sure I'm not misreading your post: It is still showing on my console - AFAIK once reported to the console an alert is only cleared if

    • an automatic cleanup is already in progress and the client reports successful completion
    • a cleanup/delete is requested (locally or from SEC) and the client reports successful completion
    • the alert is acknowledged (locally or from SEC)

    A subsequent negative scan will not clear the alert. So - does the detection recur?

    As for deletion: I don't think that the deletion is intercepted - only if you open the Quarantine Manager on the client a "rescan" is done and if the threat is not found the alert subsequently removed (but that's just how I think it is).

    Christian

    :34819
Reply
  • 0

    Hello Todd,

    just to make sure I'm not misreading your post: It is still showing on my console - AFAIK once reported to the console an alert is only cleared if

    • an automatic cleanup is already in progress and the client reports successful completion
    • a cleanup/delete is requested (locally or from SEC) and the client reports successful completion
    • the alert is acknowledged (locally or from SEC)

    A subsequent negative scan will not clear the alert. So - does the detection recur?

    As for deletion: I don't think that the deletion is intercepted - only if you open the Quarantine Manager on the client a "rescan" is done and if the threat is not found the alert subsequently removed (but that's just how I think it is).

    Christian

    :34819
Children
No Data