Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 1 subscriber
  • Views 3759 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Many Troj/SwfExp-BT Alerts

MarkPA

Anybody else getting spammed with alerts about Troj/SwfExp-BT?  Wondering if I have an actual problem or another bad def update.

:39811


This thread was automatically locked due to age.
Parents
  • 0

    In my case, it looks like every machine that alerted triggered on a temporary internet file named masthead_child-vflRMMO6_[1].swf.  They only alerted on a scheduled scan, not on-access scanning.

    Perhaps the def had been updated and that's why it didn't detect them when the files were created. 

    The files have been removed, so I can't examine them.

    After the initial .swf detection, the rest are tons of registry entries on each affected machine.  Looks to appear to be every user SID on each machine that had one of the .swf files on it, with hits on HKU\SID\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun, NoFind, NofolderOptions, NoRun, and System\DisableRegistryTools, System\DisableTaskMgr.

    I need to check if these registry entries were already part of our policy and Sophos is just hitting on them after the .swf detection.

    Couldn't get through to Sophos support on Friday - phone tree stopped responding to prompts and then would hang up on me.  May have been a google voice issue though, not Sophos.

    :39853
Reply
  • 0

    In my case, it looks like every machine that alerted triggered on a temporary internet file named masthead_child-vflRMMO6_[1].swf.  They only alerted on a scheduled scan, not on-access scanning.

    Perhaps the def had been updated and that's why it didn't detect them when the files were created. 

    The files have been removed, so I can't examine them.

    After the initial .swf detection, the rest are tons of registry entries on each affected machine.  Looks to appear to be every user SID on each machine that had one of the .swf files on it, with hits on HKU\SID\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun, NoFind, NofolderOptions, NoRun, and System\DisableRegistryTools, System\DisableTaskMgr.

    I need to check if these registry entries were already part of our policy and Sophos is just hitting on them after the .swf detection.

    Couldn't get through to Sophos support on Friday - phone tree stopped responding to prompts and then would hang up on me.  May have been a google voice issue though, not Sophos.

    :39853
Children
No Data