Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 2550 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Not cleanable viruses...

Craig_IT

Hi,

Tried finding some articles on the matter to no avail...every now and then I get a virus notification for an end point PC that is classed "not cleanable". I look it up on the Sophos Website to see if there is any info on it, usually not so I try to submit a sample. The log lists the file location, usually in the temp internet files but whenever I try to locate the file I can never get to the bottom of the file path as it simply isn't there and there is nothing in the end point PC's quarantine.

So just wondering what the go is here, how can I submit samples of uncleanable viruses when I can never obtain a copy of the files?

What is the general process everyone else uses when confronted with the same situation?

Thanks,


Craig

:6529


This thread was automatically locked due to age.
Parents
  • 0

    Hello Craig,

    most of the time I just acknowledge them. If it's not in the quarantine it is either gone (Sophos will not interfere if a file is simply deleted) or it didn't make it to disk at all (in case of scan on write). It might be that it is not cleanable or cleanup might have failed because it "disappeared" too soon.
    If you want to collect samples you have to use Deny access and move ... (but you have to decide on it in advance of course because it might no longer be there if you scan for it). Usually I set up a writable share on a machine used especially for this purpose and exclude the folder from scanning (otherwise it might  "inadvertently" get scanned). It'd be nice if Sophos would (zip and) password protect it when it moves the file - for now it just gives it the extension .000 to prevent it from being run.   

    Christian

    :6547
Reply
  • 0

    Hello Craig,

    most of the time I just acknowledge them. If it's not in the quarantine it is either gone (Sophos will not interfere if a file is simply deleted) or it didn't make it to disk at all (in case of scan on write). It might be that it is not cleanable or cleanup might have failed because it "disappeared" too soon.
    If you want to collect samples you have to use Deny access and move ... (but you have to decide on it in advance of course because it might no longer be there if you scan for it). Usually I set up a writable share on a machine used especially for this purpose and exclude the folder from scanning (otherwise it might  "inadvertently" get scanned). It'd be nice if Sophos would (zip and) password protect it when it moves the file - for now it just gives it the extension .000 to prevent it from being run.   

    Christian

    :6547
Children
No Data