W32/AutoRun-BSY identified on wrong workstation on Entrerprise Console

Hello oxo,

it has always been identified as the wrong workstation

if you View Computer Details of the "wrong" workstation - are there any User or Username fields which mention perhaps another workstation? Have your workstations been cloned from an image which already had Sophos installed? And - do you see all your machines with Sophos in the console or did you ever have the impression that a workstation changes its name? It sounds like several endpoints appearing to SEC as the same.   

Christian 

Hi Christian

The W32/AutoRun-BSY appears under "Outstanding alerts and errors" requesting a restart.  "Latest application control events" and "Latest web events" are the events of the identified workstation. 

The workstation are cloned with OS,  but sophos is installed individually. The workstations are identifed individually on enterprise console as individual workstations.  

This threat appeared on one workstation this morning, which I checked locally. it has now appeared on another worksation?  It usually selects a workstation that is on?

hope this helps   

Hello oxo,

thanks for the details.

"Outstanding alerts and errors" requesting a restart

This is the result of an almost complete and in principle successful cleanup but nevertheless a reboot should be performed at the earliest convenience. Dunno the details of the threat but its name suggests you can expect it to be found (also) on removable media. An appearance on another workstation is likely a detection in its own right. I don't quite understand the wrong workstation part though - what made you think the workstation for which it was reported is not affected?

I'd suggest to run the Alert and event history report - please note that you can select a specific threat to report with Properties ..., tab Configuration using the Advanced... button (bottom right). This will show you all the alerts and the subsequent actions. You should also take a look at the locations of the detections - whether on removable media or perhaps in a user's profile. This should help you to figure out the source of the malware.

Christian

Thanks Christian

I ran the report, found that it had been detected on three workstations. Strange not the workstation we fount it on previously. I do think it been passed about by pendrive.  I have never seen it detected on drive c:. No sign of any user being identified.

What was strange this morning was that it appeared on a new built computer(awaiting a restart), with a date of  detection before the rebuild?    

Hello oxo,

a date of  detection before the rebuild?

could be that the endpoint was matched to an existing one. Likely if you view the Computer Details it has a history reaching back before the install. There are two main scenarios:

1. the computer has the same machine_ID as an existing one - not impossible but pretty improbable unless an existing installation is cloned. The machine_ID helps to correctly identify an endpoint which has been renamed or changed domain/workgroup membership
2. the computer has the same name, workgroup and OS as an existing one. In this case the folding logic assumes it is a known computer which has been reprotected. Note that the existing computer could have been deleted (and thus was no longer displayed in the console) 
   

Christian