Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 7510 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CLBackup.exe false positive Suspicious Behavior detection

John-Parker

Hi All,

We use Commvault as our enterprise backup and I keep getting Suspicious behaviour detections on “c:\program files\commvault\Simpana\CLBackup.exe” “HIPS/FileWriteMod-003”

I acknowledge the detection and Authorize the application in the appropriate Anti-Virus and HIPS Policy – Suspicious Behaviour.

But with every new version increment of CLBackup.exe I have a new detection.

So far I have 6 versions of the authorized application of “CLBackup.exe”. I guess it’’’’s really not that many when you look at it but….

Is there any way to authorize the application so that a new version doesn’’’’t mean a new addition?

I understand that there may be security concerns with doing this but it’’’’s starting to get annoying.

Does anyone else use Commvault and if you do, how do you manage this?

Regards,

John

:45805


This thread was automatically locked due to age.
  • 0

    Hello John,

    the analysis of HIPS/FileWriteMod-003 says that an attempt has been made to write to critical Sophos files. Dunno what these critical Sophos files are and I don't think CLBackup.exe actually attempts to modify the contents but perhaps metadata. Depending on their attributes programs are considered trustworthy or not (otherwise you'd get lots of HIPS alerts). For an installer or occasionally used utilities a lack of trustworthiness it is acceptable - but not for a routinely used application.

    I'd suggest you send a sample. Likely you will be told the sample is clean and that you can authorize it. You can then follow up on the case to discuss alternate solutions (e.g. what changes would have to be applied to CLBackup.exe that it doesn't trigger a HIPS alert).

    Christian

    :45819
  • 0

    Hi Christian,

    Sorry for the slow response, Sophos was slow to deal with (Got the run around at the start), then Christmas happened, then I got sh!77y with their response and dropped it for a week or so. Anyway here is what they said

    ........................

    "Unfortunately, we cannot classify for all
    versions as they may vary. However, you can authorize them when they are
    detected after performing a full system scan and also including them in the
    authorized list within the HIPS policy."

    ........................

    So not really a very satisfying answer other than "No, and do what you're doing".

    I've just responded asking for an explanation into why they can't do it.

    I'm hoping that they can either include some kind of blanket authorization or assist me in doing as you suggest and getting CLBackup.exe changed by CommVault so that it stops triggering HIPS.

    Just for interest, I'd like to know who else uses CommVault and Sophos in their environments, I feel like the only one

    End of rant

    Regards

    John

    :46431