Many Troj/SwfExp-BT Alerts

I am getting the alerts too.  Have you found anything out yet?

I too am getting many detections and thankfully removals.  I'm wondering why the on-access scanner didn't catch these. I'm also using the Sophos Web Security Appliance and it got through that too,  WHY?

Same thing happening here.  These alerts started showing up last night when our 9:00 scheduled scan started running for our end users.

I too am seeing many of these.  Are they false positives?

I am seeing them too.  I believe it's a false positive.  I've got a dozen or more detections on various machines.  One of the machines it got detected on hasn't been used in 6 months.  It was detected under the user profile of a staff member who's Active Directory user account is disabled and has been on maternity leave for 6 months.  So unless Sophos just recently updated their definition files to catch this particular variant (which I doubt)  this is a false positive.

Also, a message for Sophos in case anyone is monitoring this thread.  When I go to the URL below to search for 'Troj/SwfExp-BT', it returns zero results.  It's a little unnerving when your enterprise AV product is getting hits on a virus and you go the vendor to get more information about the malware and it's coming up blank.

http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware.aspx

So, rather than searching for the exact variant, I just searched for 'Troj/SwfExp' under 'all threats'.  It tells me it found 144 results and displays page 1-10.  So I click next and it displays results 11-20.  So I click next again and then the total results switch to only 21.  And it displays 21-21.  It goes from telling me it found 144 results on page 1 to 21 results on page 3.  Something is broken.  In short, searching this library for anything useful relating to 'Troj/SwfExp' isn't worth a **bleep**.

In my case, it looks like every machine that alerted triggered on a temporary internet file named masthead_child-vflRMMO6_[1].swf.  They only alerted on a scheduled scan, not on-access scanning.

Perhaps the def had been updated and that's why it didn't detect them when the files were created. 

The files have been removed, so I can't examine them.

After the initial .swf detection, the rest are tons of registry entries on each affected machine.  Looks to appear to be every user SID on each machine that had one of the .swf files on it, with hits on HKU\SID\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun, NoFind, NofolderOptions, NoRun, and System\DisableRegistryTools, System\DisableTaskMgr.

I need to check if these registry entries were already part of our policy and Sophos is just hitting on them after the .swf detection.

Couldn't get through to Sophos support on Friday - phone tree stopped responding to prompts and then would hang up on me.  May have been a google voice issue though, not Sophos.

Hello theaudioman,

while this forum is suggested for self-help and Sophos might respond here you should contact Support directly - please see Sophos Anti-Virus: "false positives" and "unwanted detections".

Christian

I found and submitted one of the detected files and Sophos confirmed that the file was not malicious, but was not able to give me any information as to whether or not it was a false positive.

Thanks for the update, Sandy.