Anyone seeing wsus content being detect as a mal/generic-l virus?

Hi,

I've not had the same detection but please send a sample to:

https://secure.sophos.com/support/samples/

so SophosLabs can fix it if it is a false positive.

Regards,

Jak

I did before I posted.  Also Microsoft Security Essentials and Trend Micro Housecall doesn't detect it as a threat.

Hello armyants ,

Mal/Generic-L is - as its name implies - a generic detection. Thus occasional false positives are not surprising (and neither is the fact that other vendors do not detect a threat). OTOH I've seen Mal/Generic-L detecting quite a number of mutations as well as "new" threats and it's always a good idea to send in a sample.

Christian   

Me too, I have the following WSUS files detected:

\WSUS\WsusContent\4F\1860F71564F36C25E3049F040AC4F4DFC8BD974F.exe

\WSUS\WsusContent\B3\0DD9662328846CA14F0EB198712C1DDF618AD8B3.exe

\WSUS\WsusContent\DD\D7BCE73DAACE0729113CAEF26137F0EC369295DD.exe

\WSUS\WsusContent\EA\36A0E8807D48D330718086C918A2A29AAB6C9DEA.exe

\WSUS\WsusContent\19\61640FF41A27B72A35669DD1E3698896ED089019.exe

\WSUS\WsusContent\70\F970CB3E3767638F36CA9E179845CEB3F1DA3370.exe

\WSUS\WsusContent\83\F93011C4BAAA9DF62D56314E64416DD7F63EA983.exe

Not sure what to do, the only option I have seems to be cleanup, and I can see these files in the authorization section of SEC.  Not even sure how to check which updates these files relate to and if they could be infected or bad.

Any help with any of the above appreciated,

Hi all,

I can confirm I have also seen this, yesterday and today, on two separate, isolated WSUS servers.

Sophos, please confirm what the Generic-L detection specifically looks for.

I am trying to gather a sample, and use an online sandbox to tell me what the suspected item actually does. However I;'d appreciate it if our vendor told us what was going on.

Sorry to be pessomistic in advance, Sophos, but I've never had any information or feedback from you following the submission of samples - such as specific additions, deletions or alterations which would allow us to independently verify the health fo systems following an infection.

I do hope this occasion sees a change in that approach.

Kind regards,

Hey,

I have the exact samething.

It showed up on our SEC over the weekend.

WSUS\WsusContent\EA\36A0E8807D48D330718086C918A2A29AAB6C9DEA.exe

Any ideas on whether or not we need to be concerned about this?

virscan.org did not find anything wrong with this file, but I am not sure how reliable that site is.

Count me in, too. Seems to include SCCM 2007 content as well. I would have to assume it is marking a recent MS update installer since detection is found within SCCM and WSUS. It seems to refer to the KB2478663 Security Update for Microsoft .NET Framework 4 which was published in June.

I did a submission of the file that was detected on our WSUS

WSUS\WsusContent\EA\36A0E8807D48D330718086C918A2A29AAB6C9DEA.exe

According to the email I received back from Sophos, this file is clean.

Should we be authorizing this file manually? Or will Sophos be updating their database to reflect the false positive?

Thanks Sophos for the quick response

I sent samples of all my files to Sophos and got the following reply from support -

"Thank you for your email. The file that you sent to us for analysis is not malicious. This has created a false-positive detection. An IDE file that will stop Sophos detecting the item has been released earlier today. "

Thanks @ajsmith

The response I got did not include that.

I will leave it then and wait for the false-positive correction to come from Sophos.

Once this comes, will the alert clear itself from the SEC? Or will we have to acknowledge the alert?

In the past when I have authorised suspicious, the alert will generally clear itself, but not always.