Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 12334 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

W32/Small.CA

MarcoSoli

Hello

in our enterprse we work with SEC5 and Enpoint 10.0.2, on Win7 enterprise 64b

Recently we got several workplaces where we get the message from Windows ActionCenter, that a (well known) virus was found and must be removed. This is called W32/Small.CA.

Question is now, why does Sophos not detect this threat ? When doing a full system scan, nothing is found.

Best regards

Marco

:22933


This thread was automatically locked due to age.
  • 0

    Hello Marco,

    Question is now, why does Sophos not detect this threat?

    Did the ActionCenter tell you where it has been found? Microsoft's Threat Encyclopedia doesn't tell what distinguishes this particular detection. As you have probably seen "the Internet" either refers to W32.Small.R (which is "mapped by" Sophos' W32/SillyFDC-H) or to "the usual tools". I haven't seen a real resolution.

    Anyway, you should give SMaRT a try - it will eventually tell you how to collect some information and submit this to Support for investigation.

    Christian

    P.S.: I won't rule out that this is a false positive

    :22935
  • 0

    Hello,

    are there any news about this Topic?

    We have exactly the same issue, Windows Action Center is telling us about this Virius detection, but a full Scan with Sophos AV is ending up without any detections.

    Its a fales positive of Windows?

    best regards

    Frank-Michael

    :23049
  • 0

    Hello Frank-Michael ,

    same question: Do you have an idea where the threat is detected? I assume you are running Windows Defender (WAC is not a scanner, just the messenger). Defender logs (AFAIK) to the System and Application event logs and %ProgramData%\Microsoft\Windows Defender\Support.

    Without a sample no AV vendor can tell whether it's a false positive or not - and if it is, no vendor other than Microsoft can fix it. And without a "working sample" (i.e. one that triggers reliably the alert) or the responsible party's statement no one else will be able to tell you that it has been fixed.

    Christian

    :23051
  • 0

    We are seeing the same exact issue.  They are running through the smart guide to see if it picks anything up right now.  Doing some research elsewhere on the internet says that this is a real threat to windows, but most AVs aren't picking it up. 

    :24151
  • 0

    Hi,

    we also get those error message on some Win7 x64 Ent. Clients.

    Any Link from the Action Center is guided to Microsoft Sites or Microsoft Partner Sites where suggested Removal Tools from 3rd Party Vendors were reccommended.

    None of the Links in the Action Center, or the Event Logs of the System, or any other "deeper" Log in the System provides any kind of information of the File which seems to be infected...

    In my case, there is no way to send Sophos a File for the Labs to investigate, cause there is no File information :(

    :24487
  • 0

    I just got some update:

    This is a possilbe Microsoft false positive which was widely reported. See here:

    http://answers.microsoft.com/en-us/windows/forum/windows_7-security/windows-7-and-how-to-remove-win32smallca-virus/a6606dfb-a067-47b6-b353-3882a7c83cbe?page=2

    Somebody wrote there:..

    ...I suggest you turn off Windows Defender for a day or 2 & then see if the "warning" goes away.

    Press Windows-key
    type in Windows Defender
    select it and press Enter-key
    Press the Tools icon
    Press the Real-time protection on the left side.
    Then UN-check the box "Use real-time protection"
    Apply & exit applet

    Tell us what results you get.

    and.

    ...Thanks for your response.  Unfortunately, there is not much I can add.  The Windows Action Center reported, "Remove the Win32/Small.CA virus."  After going through all the steps you've read, I manually archived the message and there were no follow-up messages.  When I click on the archived message, there is no information other than an advisory to go online to learn about the solution.

    Maybe someone sense this as useful...

    :24489
  • 0

    I too have found this Windows "Virus" warning and wondered what if anything to do about it.

    We are home -users of Sophos with limited computing knowledge. So we find forums like this very helpful.

    I did take a screen shot of the detail of the  Windows warning but I can't work out how to paste it here. Under the problem signature it gives the problem event name as APPCRASH and the fault module name as ntdll.dll

    Is this any help?

    :40819
  • 0

    Hello Tigerlily,

    please upload the screenshot to some sharing site and include the link here. And how is the APPCRASH related to W32/Small.CA? Any details you can remember of the sequence of events could be helpful.

    Christian

    :40821
  • 0

    Thanks for the reply.

    Have put the screenshot into DropBox - hope this is ok

    https://www.dropbox.com/s/eeexs4iebxsdnv7/Windows%20Flag.jpg

    This is what came up when I clicked on 'problem details'  in the Windows warning. (I only did this today even though the event was in February). So I don't know why Windows thinks this is related to a virus.

    I can't recall any particular incident on the february date listed.  I have used Task Manager occasionally to end tasks that aren't responding - don't know if this is related.

    Thanks for your help

    :40825
  • 0

    Hello Tigerlily,

    perfect. The crash might or might not be unrelated - can you reproduce it? As for the virus warning - I have seen many reports but no solution or at least an explanation. Haven't checked recently but I don't think there is anything useful on the Microsoft sites. It's their product and their naming, so ... I'd just ignore it.

    Christian

    :40829