Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 3494 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos cleaning

LimonPaani

Any suggestions as to why Sophos can't clean a user's recycle bin, appdata (also local appdata), and areas where temp internet files are stored under the user?

Thanks.

:44907


This thread was automatically locked due to age.
  • 0

    Hello LimonPaani,

    that's a lot of answers needed :smileyhappy: (or maybe it's because Sophos can't clean is imprecise :smileytongue:).

    can't clean ... areas

    Cleanup works starting from a detection (usually a file, sometimes memory ...). The detection is recorded and if there is a cleanup routine associated with the threat it is dispatched. It might scan for potential related items (e.g. modified registry keys, additional rogue files in "the usual places") attempting to clean up (which can also simply mean: delete) what is found.

    It will can not clean/delete locked files (e.g. the image a rogue application is still running from), it will not manipulate archives (i.e. change or delete items within), when running in a user's context the user's permissions apply.

    can't clean might also mean a failed cleanup ... it's better you ask specific questions if the above is not sufficient.

    Christian

    :44943
  • 0

    My suspicions are that it can not clean areas....

    HEre are some examples, username has been removed

    _______

    Virus/spyware 'Mal/ObfJS-J' has been detected in "C:\Users\***\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1SWCPUF5\scroll[7].js". Cleanup unavailable.

    ______

    Virus/spyware 'Mal/ObfJS-J' has been detected in "C:\Users\***\AppData\Local\Mozilla\Firefox\Profiles\072ap0wr.default\Cache.Trash29837\D\A9\5DE40d01". Cleanup unavailable.

    _____

    Virus/spyware 'Troj/Kryptik-BT' has been detected in "C:\$Recycle.Bin\S-1-5-21-1922389593-698904393-313073093-15095\$RC1TZZB.exe\FILE:0002". Cleanup unavailable.

    ____

    File "C:\$Recycle.Bin\S-1-5-21-1922389593-698904393-313073093-14221\$RM3T4QF.exe\FILE:0007" belongs to adware or PUA 'SAHAgent' (of type Other).

    Adware or PUA 'SAHAgent' is not removable.

    _______

    Virus/spyware 'Mal/ObfJS-CZ' has been detected in "C:\Users\***\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IZG9J89D\admin-ajax[1].php". Cleanup unavailable.

    As I've stated in my message, it appears to me Sophos has issues with Temporary Internet files and so forth. Either it simply can't clean every single one that has come through or I've got an incorrect setting.

    My concern is that a lot of bad stuff generally comes from a user simply browsing. I just want to make sure my protection is at least in place and functioning to its capacity.

    If the user's permissions apply then how do we proceed to correct them.

    :45125
  • 0

    Hello LimonPaani,

    thanks for the examples. It's not the areas but the threats - that they are in specific areas is part due to the nature of their "vectors" (e.g. the .js and .php files in a browser's cache). The items in the $Recycle.Bin have either been deleted or put there by the malware (yes, it is possible to use $Recycle.Bin like any other location).

    Cleanup unavailable

    Just what it says - it's not feasible to reliably remove just the offending code (or a dependable cleanup routine has not yet been written - you wouldn't want that the publishing of a detection is delayed, and you are therefore unnecessarily exposed, just because the cleanup routine is not yet completed). If the alternate action is Delete (use with caution!) the entire file will be deleted. Clean means either remove the threatening part and leave the rest intact or delete the entire file - the latter is not automatically done for "generic" detections though.

    belongs to adware or PUA 'SAHAgent'  

    Adware and PUA is a specific class of (potential) threats, please see the Overview article. They will not be automatically cleaned up by on-access.

    If the user's permissions apply then how do we proceed to correct them

    There's nothing to correct - if a user attempts to execute some malware from a location he's not permitted to write to the file can naturally neither be cleaned nor deleted under the user context. Or a yet unknown malware might modify the permissions of its components (or other malware it downloads) to prevent deletion by the user.  

    As far as I can see, everything is working correctly. Many of the threats which aren't cleaned up need a certain context to execute (this applies e.g. for all the stuff in the browser's cache). As long as on-access is functioning correctly these "leftovers" pose no risk - if it isn't, you must be much more worried about "new" threats coming in undetected than some residual accidentally getting activated. Except for a few exceptions you can delete the stuff either with an "aggressive" on-access setting (not recommended) or a scheduled scan.

    Christian

    :45159