Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 13316 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

%win%/system32/regsvr32.exe quarantined

jarlt

I've got a user with an XP box running Sophos v9.5.  Sophos has quarantined Windows/system32/regsvr32.exe.

I'm finding confilicting posts about the essential importance/dangers of  this file.  Microsoft states:

http://support.microsoft.com/kb/249873

Regsvr32.exe is included with Microsoft Internet Explorer 3.0 or later versions, Windows 95 OEM Service Release 2 (OSR2) or later versions, and Windows NT 4.0 Service Pack 5 (SP5) or later versions. Regsvr32.exe is installed in the System (Windows Me/Windows 98/Windows 95) or System32 (Windows NT/Windows XP/Windows Vista/Windows 7) folder.

Note On a 64-bit version of a Windows operating system, there are two versions of the Regsv32.exe file:

  • The 64-bit version is %systemroot%\System32\regsvr32.exe.
  • The 32-bit version is %systemroot%\SysWoW64\regsvr32.exe.

Sophos does not identify it as a threat anywhere on its website but apparantly due to its role the Sophos client quarantines it.

Can I take this file out of quarantine and restore it?

thanks

:9433


This thread was automatically locked due to age.
  • 0

    HI,

    Regsvr32.exe in \Windows\System32\ is a genuine file, well it is a file that should exist in that location.  That's not to say the file you have is the version that should be there.  It could have ben switched by malware but unless the machine has been infected by a virus such as Sality or any malware that just infects everything it sees I would think it highly unlikley.  You would have far more entries in the quarantine if that were the case as most exe files on the machine would be infected by now.

    You don't say what it has been detected as or via, I'm guessing it's been reported as exhibiting suspicious behaviour? Regsvr32.exe is used typically to install software as it registers dlls, exe, ocx files etc. when installing COM objects and such.  

    Can you post back what has been detected?
    E.g. Suspicious behavior pattern 'HIPS/RegMod-014'. 

    Regards,

    Jak

    :9455
  • 0
    I am having the same issue with Sophos quarantining c:\windows\SysWoW64\regsvr32.exe (i.e., %systemroot%\SysWoW64\regsvr32.exe). The OS is Windows Server 2008 R2. The suspicious behavior is indicated as HIPS/RegMod-009 I did a full scan of the system and it came back with zero infections of any sort.
    :13387
  • 0

    Hi,

    It's highly likely that the machine isn't infected. The alert was just to say some event of note happened you may want to be aware of and the process that initiated the behavior was regsvr32.exe.  It really depends what was going on on the machine when it occurred.  I.e.. were you installing software or changing system settings, those sort of things that the HIPS rules monitor?


    The analysis for this HIPS rule (http://www.sophos.com/en-us/threat-center/threat-analyses/suspicious-behavior-and-files/HIPS~RegMod-009/detailed-analysis.aspx ) doesn't give too much away, as to exactly what registry key was being changed by the regsvr32.exe process.  You might have to call Support to get such information.

    For example, if I install a piece of software on my machine which creates a startup key for itself which is legitimate for that software and I get an suspicious alert, I would know the probable cause was me installing the software so I can make an informed decision to allow it. If I got a HIPS alert for a startup key being created when I wasn't installing software I'd be more concerned, especially if the file that created the key was called virus.exe.

    Hope this helps.
    Jak 

    :13391