Why doesn't Sophos stop Malware, especially Fake AV malware, like it does viruses? We have a corporate license and all machines are up-to-date with Sophos AV but more & more we spend too much time removing malware & tracking down other changes that were made by the malware that have disabled programs.
Hello RyanB,
This year I have had computers in every site contract some type of malware
Were these already known threats or "new" ones (or new variants)? I've had a very few cases of FakeAV soaking in (in all but one case for the user - usually they are only members of the Users group). In most cases some of the components were detected by HIPS but I had also a few where at first nothing has been detected.
Usually I try to identify the executables and search for fishy registry keys and additional suspect files (e.g. in TEMP or cache directories) - takes less than a quarter of an hour - and submit the samples. You should receive a response after a few hours which looks like
Hello, Thank you for contacting Sophos Technical Support. **Please note that this is an automated response. If you have any questions, require assistance or clarification on this analysis, please feel free to reply to this email quoting this case number in the subject line.** The file(s) submitted were malicious in nature and detection will be available on the Sophos Databank shortly. 15.tmp -- identity created/updated (New detection Troj/FakeDpr-A) svchost.exe -- identity created/updated (New detection Troj/FakeDpr-A) dwm.exe -- identity created/updated (New detection Troj/FakeDpr-A) stor.cfg -- non-malicious 9234310388.exe -- identity created/updated (New detection Troj/FakeAV-BZJ) 603996256.exe -- identity created/updated (New detection Troj/FakeAV-BZJ) Security Tool.lnk -- non-malicious 9616366416.exe -- identity created/updated (New detection Troj/FakeAV-BZJ) Anwendungsdaten.zip -- archive file 3B.tmp -- identity created/updated (New detection Troj/Agent-PJR) dwm.exe -- identity created/updated (New detection Troj/FakeDpr-A) dwm.exe -- identity created/updated (New detection Troj/FakeDpr-A) svchost.exe -- identity created/updated (New detection Troj/FakeDpr-A) stor.cfg -- non-malicious shell.exe -- identity created/updated (New detection Troj/FakeDpr-A) FakeBS.jpg -- clean
or perhaps
The file(s) below are already detected with the latest version of Sophos Anti-Virus and the latest IDE definitions. MANIFEST.MF -- clean AdgredY.class -- already detected DyesyasZ.class -- already detected LoaderX.class -- already detected 6973d79a-3594b9cf -- archive file JavaJar-A.zip -- archive file 6973d79a-3594b9cf.idx -- non-malicious Please update Sophos Anti-Virus,and run a Full System Scan to clean up this threat.
Once the new identities have been published no other tools than scans (in the "worst" case with SAV32CLI from safe mode) were necessary to remove the threats.
Of course if the users are Power Users or Administrators penetration can go deeper. Still this wouldn't explain that known threats are missed - unless the user either turns off on-access scanning or authorizes a suspect file (which should show a non-compliance for the AV policy).
I've never heard back from SophosLabs after submitting samples
Either Labs or local Support should reply with the results (unless you indicated that you've successfully removed the threat and/or don't need a reply) - if not please contact Support.
Christian
Hello RyanB,
This year I have had computers in every site contract some type of malware
Were these already known threats or "new" ones (or new variants)? I've had a very few cases of FakeAV soaking in (in all but one case for the user - usually they are only members of the Users group). In most cases some of the components were detected by HIPS but I had also a few where at first nothing has been detected.
Usually I try to identify the executables and search for fishy registry keys and additional suspect files (e.g. in TEMP or cache directories) - takes less than a quarter of an hour - and submit the samples. You should receive a response after a few hours which looks like
Hello, Thank you for contacting Sophos Technical Support. **Please note that this is an automated response. If you have any questions, require assistance or clarification on this analysis, please feel free to reply to this email quoting this case number in the subject line.** The file(s) submitted were malicious in nature and detection will be available on the Sophos Databank shortly. 15.tmp -- identity created/updated (New detection Troj/FakeDpr-A) svchost.exe -- identity created/updated (New detection Troj/FakeDpr-A) dwm.exe -- identity created/updated (New detection Troj/FakeDpr-A) stor.cfg -- non-malicious 9234310388.exe -- identity created/updated (New detection Troj/FakeAV-BZJ) 603996256.exe -- identity created/updated (New detection Troj/FakeAV-BZJ) Security Tool.lnk -- non-malicious 9616366416.exe -- identity created/updated (New detection Troj/FakeAV-BZJ) Anwendungsdaten.zip -- archive file 3B.tmp -- identity created/updated (New detection Troj/Agent-PJR) dwm.exe -- identity created/updated (New detection Troj/FakeDpr-A) dwm.exe -- identity created/updated (New detection Troj/FakeDpr-A) svchost.exe -- identity created/updated (New detection Troj/FakeDpr-A) stor.cfg -- non-malicious shell.exe -- identity created/updated (New detection Troj/FakeDpr-A) FakeBS.jpg -- clean
or perhaps
The file(s) below are already detected with the latest version of Sophos Anti-Virus and the latest IDE definitions. MANIFEST.MF -- clean AdgredY.class -- already detected DyesyasZ.class -- already detected LoaderX.class -- already detected 6973d79a-3594b9cf -- archive file JavaJar-A.zip -- archive file 6973d79a-3594b9cf.idx -- non-malicious Please update Sophos Anti-Virus,and run a Full System Scan to clean up this threat.
Once the new identities have been published no other tools than scans (in the "worst" case with SAV32CLI from safe mode) were necessary to remove the threats.
Of course if the users are Power Users or Administrators penetration can go deeper. Still this wouldn't explain that known threats are missed - unless the user either turns off on-access scanning or authorizes a suspect file (which should show a non-compliance for the AV policy).
I've never heard back from SophosLabs after submitting samples
Either Labs or local Support should reply with the results (unless you indicated that you've successfully removed the threat and/or don't need a reply) - if not please contact Support.
Christian
