Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 9542 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

W32/AutoRun-BSY identified on wrong workstation on Entrerprise Console

oxo

For a while now we have the threat W32/AutoRun-BSY showing up on our console, but it has always been identified as the wrong workstation by the console. The last time to  found the effected workstation we had to logon to all our workstations and interogate sophos. 

Is there an easier way to find out what workstation that is affected?

Thanks

:49308


This thread was automatically locked due to age.
Parents
  • 0

    Hello oxo,

    a date of  detection before the rebuild?

    could be that the endpoint was matched to an existing one. Likely if you view the Computer Details it has a history reaching back before the install. There are two main scenarios:

    1. the computer has the same machine_ID as an existing one - not impossible but pretty improbable unless an existing installation is cloned. The machine_ID helps to correctly identify an endpoint which has been renamed or changed domain/workgroup membership
    2. the computer has the same name, workgroup and OS as an existing one. In this case the folding logic assumes it is a known computer which has been reprotected. Note that the existing computer could have been deleted (and thus was no longer displayed in the console) 

    Christian

    :49324
Reply
  • 0

    Hello oxo,

    a date of  detection before the rebuild?

    could be that the endpoint was matched to an existing one. Likely if you view the Computer Details it has a history reaching back before the install. There are two main scenarios:

    1. the computer has the same machine_ID as an existing one - not impossible but pretty improbable unless an existing installation is cloned. The machine_ID helps to correctly identify an endpoint which has been renamed or changed domain/workgroup membership
    2. the computer has the same name, workgroup and OS as an existing one. In this case the folding logic assumes it is a known computer which has been reprotected. Note that the existing computer could have been deleted (and thus was no longer displayed in the console) 

    Christian

    :49324
Children
No Data