Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 12372 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mal/Generic-S alert on Sophos Enterprise Console

Phil3163

Hi there,

This is my first post :).

I would like to say hello to everyone, and thanks for any help in advance!

Anyway, I work in a school of around 700 computers. Slowly, 1 by 1, they are starting to show up in the Enterprise Console as having a Virus on them.

When I check, it is a Sophos update file (this seems to be much like the problem back in Sept 2012).

It is in the following location:

C:\System Volume Information\_restore{***random numbers/letters***}\RP310(***this changes as well***)\A0418322.exe (Again, the file name can change as well lol).

Anyway, I have looked at the file, and it is a Sophos file, presumably for the updates (quite new to Sophos, I used to use another product in my old job, only started here recently lol).

I was wondering what I can do to stop it being quarentined and showing up on the list? So far it has been qurentined on around 50 computers.

Is anyone else having the same problem?

I hope this all makes sense!!!

Looking forward to hearing some feedback :).

Phil

:36359


This thread was automatically locked due to age.
  • 0

    Hello and welcome, Phil

    that it (whatever it is) is found in a restore point usually indicates that that there was a preceding detection in some regular location which has been dealt with. Thus you should search the computer details or the Anti-Virus logs (SAV.txt) on the client for Mal/Generic-S which should tell you what and where the original file has been. Short explanation (for details please see System Restore on Wikipedia): A potential threat has been removed and Windows upon detecting the file was gone attempted to restore it, the attempt was intercepted, the detection triggered and the restore blocked BTW: Mal/Generic-S uses Live Protection if enabled, the results - including the subsequent action - depend also on the circumstances of the detection).

    it is a Sophos update file

    Why do you think it is a Sophos update file, do you have the details (name, version ...)?

    BTW: RP310 is an arbitrary name as well :smileywink:

    So, the important step is to identify the original detection. Only with this information it makes sense to suggest further steps.

    Christian

    :36361
  • 0

    HI Christian,

    Thanks for your reply.

    Yeah, I understand the logic of it being in a restore point, but it doesn't make sense to suddenly show up today, and never before?

    I have recently installed Windows Updates, and I'm pretty sure the computers create a restore point when they install, but I can't see that being the reason....but still, I could be wrong.

    As to thinking it's a Sophos file; that's because I see it has the same naming system as other Sophos files (See picture).

    BUT, on looking it it's properties for about the 10th time, it finally came up with an icon for the file, that wierd "7" which you can see in the picture. This makes me believe that maybe it isn't actually a Sophos file, but a genuine virus which has managed to get in, but luckily is being blocked.

    Let me now what you think :)

    The picture is on a test virtual machine which can access the domain. It is running XP SP3. Half of the school is XP SP3, the other is W7 SP1.

    :36363
  • 0

    Hello Phil,

    right, the bunch around the suspicious item is definitely Sophos (SAV as far as I can see). The icon is definitely something else (and you won't see a Sophos file with a Modified date that old). 

    Did you have to turn off on-access checking to access the file or can you now access it "freely" (if you have Live Protection with sending samples enabled it might have been processed and classified in the meantime)? I suggest you pack it up and submit it to Support though to make sure about its nature.

    Christian

    :36367
  • 0

    Hi Christian,

    I have done nothing to it so far. I didn't turn off anything. I just went to the file and looked at it, as you can see. I am able to copy and paste it as well...etc.

    I have not ran it of course, but it seems like I would be able to if I wanted.

    I will submit it though. I presume that the best thing might just be to "clean" the item as they come in? Sophos is catching them and putting them in quarentine.

    Regards,

    Phil

    :36371
  • 0

    Hello Phil,

    that you can view the properties and copy it suggests that it is now considered clean - therefore it (assuming an identical copy) won't be "caught" and quarantined in the future.

    Christian

    :36379
  • 0

    Hi Christian,

    Thanks for that. What I will do is when the school day is over, I will run a "Clean Up" on them.

    I have found that the icon belongs to a program we have here for Math which is called Bounce Back. Not really sure why it's suddenly picked it up.

    When I look at the local drives, the file in question does not exist (looked on both a machine which has been "infected" and not "infected")...Strange.

    Never mind. Thanks a lot for your help :).

    Phil

    :36383
  • 0

    Hello Phil,

    the file in question does not exist (looked on both a machine which has been "infected" and not "infected")

    I can imagine the following: An updated detection identity (IDE) caused the file to be identified as very likely malicious on all (or many) machines and subsequently removed (in my experience Mal/Generic-S could sometimes "misjudge" and subsequently clean - i.e. most of the time delete - legitimate but uncommon files). Not much later (perhaps with the help of Live Protection, perhaps due to samples sent) the files have been vindicated. For those clients which have accessed the RP in the meantime you got the additional detection, for others not.

    Christian   

    :36389