Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 13318 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

%win%/system32/regsvr32.exe quarantined

jarlt

I've got a user with an XP box running Sophos v9.5.  Sophos has quarantined Windows/system32/regsvr32.exe.

I'm finding confilicting posts about the essential importance/dangers of  this file.  Microsoft states:

http://support.microsoft.com/kb/249873

Regsvr32.exe is included with Microsoft Internet Explorer 3.0 or later versions, Windows 95 OEM Service Release 2 (OSR2) or later versions, and Windows NT 4.0 Service Pack 5 (SP5) or later versions. Regsvr32.exe is installed in the System (Windows Me/Windows 98/Windows 95) or System32 (Windows NT/Windows XP/Windows Vista/Windows 7) folder.

Note On a 64-bit version of a Windows operating system, there are two versions of the Regsv32.exe file:

  • The 64-bit version is %systemroot%\System32\regsvr32.exe.
  • The 32-bit version is %systemroot%\SysWoW64\regsvr32.exe.

Sophos does not identify it as a threat anywhere on its website but apparantly due to its role the Sophos client quarantines it.

Can I take this file out of quarantine and restore it?

thanks

:9433


This thread was automatically locked due to age.
Parents
  • 0

    HI,

    Regsvr32.exe in \Windows\System32\ is a genuine file, well it is a file that should exist in that location.  That's not to say the file you have is the version that should be there.  It could have ben switched by malware but unless the machine has been infected by a virus such as Sality or any malware that just infects everything it sees I would think it highly unlikley.  You would have far more entries in the quarantine if that were the case as most exe files on the machine would be infected by now.

    You don't say what it has been detected as or via, I'm guessing it's been reported as exhibiting suspicious behaviour? Regsvr32.exe is used typically to install software as it registers dlls, exe, ocx files etc. when installing COM objects and such.  

    Can you post back what has been detected?
    E.g. Suspicious behavior pattern 'HIPS/RegMod-014'. 

    Regards,

    Jak

    :9455
Reply
  • 0

    HI,

    Regsvr32.exe in \Windows\System32\ is a genuine file, well it is a file that should exist in that location.  That's not to say the file you have is the version that should be there.  It could have ben switched by malware but unless the machine has been infected by a virus such as Sality or any malware that just infects everything it sees I would think it highly unlikley.  You would have far more entries in the quarantine if that were the case as most exe files on the machine would be infected by now.

    You don't say what it has been detected as or via, I'm guessing it's been reported as exhibiting suspicious behaviour? Regsvr32.exe is used typically to install software as it registers dlls, exe, ocx files etc. when installing COM objects and such.  

    Can you post back what has been detected?
    E.g. Suspicious behavior pattern 'HIPS/RegMod-014'. 

    Regards,

    Jak

    :9455
Children
No Data