Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 6994 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos doesn't move malware/virus

Nordfol

Hello,

I have a problem with Sophos Endpoint Security & Control managed over the Sophos Enterprise Console. I did set the policy if a virus gets detected Sophos should deny access and move it to the default location C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED

But if a virus/malware appears Sophos only denies access and doesn’’’’t move the file into the target folder. However the virus appears in the quarantine-manager and is still in the source directory e.g. C:\Users\test\Desktop but won’’’’t appear in C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED

I think it’’’’s a Sophos Client problem, the policy is transmitted successfully, because in the client options all the right settings are set.

The Sav log file only says that Sophos denied access, but nothing about moving the file to the infected folder.

Tested on Windows 7 and Windows Server 2008 R2, Sophos Client Version 10.2.

Best Regards and thanks in advance!

:43899


This thread was automatically locked due to age.
  • 0

    Hello Nordfol,

    you did uncheck the Automatically clean up, didn't you, and we're talking about on-access scanning?

    If move fails for whatever reason this should be logged locally as well as with the console. How did you notice this - did you run some tests or because SEC showed alerts?

    Christian

    :43909
  • 0

    Yes, the Automatically clean up box is unchecked and I mean on-access scanning.

    I tested it with the test virus from sophos ( SAVTEST.EXE ) and with PsExec.exe (false alarm but Sophos recognize it as malware). I did tested it by moving the files to another place locally on the machine. Also i checked this log file C:\ProgramData\Sophos\Sophos Anti-Virus\logs\SAV.txt

    On SEC I didn't find a log what did tell that something went wrong. At the dashboard there's just the warning that on a managed machine a virus was found, but no errors.

    Do you have any idea, where I can find more specifc logs locally or on SEC. Locally i also did set the log level to the maximum.

    :43957
  • 0

    Hello Nordfol,

    it works here (I know, this is a much hated answer :smileywink:). SAVTEST attempts to write to the root of the drive, with the standard security settings you have to run as administrator. With on-access scanning on the file is correctly moved. When it is turned off, SAVTEST complains.

    There's one twist - if you copy the file as administrator to a protected location (e.g. C:\) while on-access scanning is off . After turning it on again the "threat" is detected but move fails (as it would require confirmation) - you should see this both in SAV.txt (The attempt to move the infected file "C:\eicar.com" failed. The user does not have the rights to perform the action on the infected file.) and SEC (under Alert and Error Details - Scanning errors).

    That's how it's supposed to work - if it doesn't, hmm ...

    Christian

    :43961
  • 0

    Hi QC,

    I reproduced my problem today with the new 10.3 version. I did notice a strange behaviour: The already mentioned PsExec.exe is marked  as Adware/PUA and shows up in Sophos quarantine manager but does not get moved into infected folder. Some other malware (tested it with some supicious files) gets marked as Virus/Spyware and does get moved into the infected folder but will not appear in the Sophos quarantine manager.

    Maybe you have a clue what the problem can be.

    P.S. Yes I did mark the option "show all objects" in the quarantine manager ;)

    Thanks again!

    :44339
  • 0

    Hello Nordfol,

    sounds like it is working as designed. A moved threat is considered as being successfully dealt with and therefore doesn't show up. Instead of referring you to the help and docs I'll quote the relveant chapter of the Help:

    About Quarantine manager

    Quarantine manager enables you to deal with the items found by scanning that were not eliminated automatically during scanning. Each item is here for one of the following reasons.

    • No cleanup options (clean up, delete, move) were chosen for the type of scan that found the item.
    • A cleanup option was chosen for the type of scan that found the item but the option failed.
    • The item is multiply-infected and still contains additional threats.
    • The threat has only been partially detected, and a full computer scan is needed to fully detect it. To find out how to do this, refer to Run a full computer scan
    • The item exhibits suspicious behavior.
    • The item is a controlled application.
    Note: Adware, PUAs, and multi-component infections detected during on-access scanning are always listed in Quarantine manager. Automatic cleanup of adware, PUAs, and multi-component infections is not available for on-access scanning.

    A cleanup option may have failed because of insufficient access rights. If you have greater rights, you can use Quarantine manager to deal with the item(s).

    Threats that are detected during web page scanning are not listed in Quarantine manager because the threats are not downloaded to your computer. Therefore, there is no need to take any action.

    Christian

    :44341
  • 0

    Thanks again for your quick help. Now the whole process is comprehensible to me. Although it is a bit strange that you have to move a false detected file from the infected folder manually by checking the logs where the original file path was. In my humble opinion using the quarantine manager also for viruses would be way more efficient.    

    :44375
  • 0

    Hello Nordfol,

    move is not the recommended (alternate) action for regular operation, it's intended to be used in special circumstances only.

    using the quarantine manager also for viruses

    What exactly should QM enable you to do? With the recommended Deny access only option any threat which can't or couldn't be cleaned up automatically ends up in QM. 

    Christian

    :44413
Cookie Information Banner