Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 16151 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

encrypted or compressed file

chipHDMA

I have run several full scans on a machine that generated some PUA warnings, and the only items remaining that appear in the report are 117 encrypted or compressed items.  What does that mean?  Are they possible threats that can't be scanned by Sophos?  I have used Malwarebytes to see if that count can be lowered, but no luck.

This client is a fully-updated Win7 desktop, running Endpoint Control 10.3, also fully updated.

Thanks for any advice!

:54809


This thread was automatically locked due to age.
  • 0

    Hello chipHDMA,

    it's not unusual that some encrypted files (e.g. password protected archives or office documents) are encountered. Their names should give you an idea what they could be. I'm not sure about compressed though - could you post some of these errors?

    The purpose of encryption is to hide the contents unless the correct password is provided. Whatever scanner you use will face the same challenge - thus the only way for a scanner to lower the encrypted count would be to quietly skip those files. Naturally they could contain a threat but then the files would have to be decrypted first - usually to a temporary file which is read back at which point the decrypted contents will be scanned by on-access scanning.

    Christian

    :54811
  • 0

    How do I see the file names of the encypted files? We haven't seen any error messages - the scan seems to run fine and concludes with the report - 246K items scanned, 117 encypted or compressed items, 0 for everything else.

    :54847
  • 0

    Hello chipHDMA,

    there's a More >>> button which will give you a more detailed list of the events. Messages from the scan are written to the Anti-virus and HIPS log (accessible from the GUI) and, in case it's a named scan, the scan's distinct log - both in %ProgramData%\Sophos\Sophos Anti-Virus\logs and named SAV.txt and scanname.txt respectively (note the latter is overwritten by the next execution).

    Christian

    :54849
  • 0

    Thanks for the help!  Found all sorts of candidates to be deleted.

    :54865